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Preface 



EUROCRYPT 2001, the 20th annual Eurocrypt conference, was sponsored by 
the lACR, the International Association for Cryptologic Research, see 
http://www.iacr.org/, this year in cooperation with the Austrian Computer So- 
ciety (OCG). The General Chair, Reinhard Posch, was responsible for local orga- 
nization, and registration was handled by the lACR Secretariat at the University 
of California, Santa Barbara. 

In addition to the papers contained in these proceedings, we were pleased 
that the conference program also included a presentation by the 2001 lACR dis- 
tinguished lecturer, Andrew Odlyzko, on “Economics and Cryptography” and an 
invited talk by Silvio Micali, “Zero Knowledge Has Come of Age.” Furthermore, 
there was the rump session for presentations of recent results and other (pos- 
sibly satirical) topics of interest to the crypto community, which Jean- Jacques 
Quisquater kindly agreed to run. 

The Program Committee received 155 submissions and selected 33 papers 
for presentation; one of them was withdrawn by the authors. The review process 
was therefore a delicate and challenging task for the committee members, and I 
wish to thank them for all the effort they spent on it. Each committee member 
was responsible for the review of at least 20 submissions, so each paper was 
carefully evaluated by at least three reviewers, and submissions with a program 
committee member as a (co-)author by at least six. Final decisions, after inten- 
sive web discussions, were taken at a one-day face-to-face program committee 
meeting. The selection was based on originality, quality, and relevance to cryp- 
tology. In most cases, the reviewers provided extensive comments to the authors. 
Subsequently, the authors made a substantial effort to take these comments into 
account. I was pleased to see that the field is continuing to flourish and believe 
that we were able to select a varied and high-quality program. I wish to thank 
all the authors who submitted papers, thus making such a choice possible, and 
those of accepted papers for their cooperation in the timely production of revised 
versions. 

Many thanks also go to the additional colleagues who reviewed submis- 
sions in their area of expertise: Joy Algesheimer, Seigo Arita, Giuseppe Ate- 
niese, Olivier Baudron, Charles Bennett, Dan Boneh, Annalisa De Bonis, Wieb 
Bosma, Marco Bucci, Ran Canetti, Anne Canteaut, Suresh Chari, Philippe 
Chose, Christophe Clavier, Scott Contini, Don Coppersmith, Jean-Sebastien 
Coron, Ronald Cramer, Nora Dabbous, Ivan Damgard, Giovanni Di Crescenzo, 
Markus Dichtl, Yevgeniy Dodis, Paul Dumais, Serge Fehr, Marc Fischlin, Roger 
Fischlin, Matthias Fitzi, Pierre-Alain Fouque, Jun Furukawa, Pierre Girard, 
Clemente Gladi, Daniel Gottesman, Clemens Holenstein, Rosario Gennaro, Nick 
Howgrave-Graham, James Hughes, Yuval Ishai, Markus Jakobsson, Eliane Jaul- 
mes, Antoine Joux, Olaf Keller, Ki Hyoung Ko, Reto Kohlas, Takeshi Koshiba, 
Eyal Kushilevitz, Yehuda Lindell, Helger Lipmaa, Anna Lysyanskaya, Subhamoy 
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Maitra, Tal Malkin, Daniel Mall, Barbara Masucci, Dominic Mayers, Alfred 
Menezes, Renato Menicocci, Daniele Micciancio, Markus Michels, Miodrag Mi- 
haljevic, Phong Nguyen, Svetla Nikova, Satoshi Obana, Kazuo Ohta, Pino Per- 
siano, David Pointcheval, Bartosz Przydatek, Michael Quisquater, Omer Rein- 
gold, Leonid Reyzin, Jean-Marc Robert, Pankaj Rohatgi, Alon Rosen, Ludovic 
Rousseau, Daniel Simon, Nigel Smart, Adam Smith, Othmar Staffelbach, Mar- 
tijn Stam, Michael Steiner, Katsuyuki Takashima, Alain Tapp, Christophe Ty- 
men, Shigenori Uchiyama, Frederic Valette, Ramarathnam Venkatesan, Eric Ver- 
heul, Stefan Wolf, Akihiro Yamamura, Yuliang Zheng. I apologize for any inad- 
vertent omissions. 

The review process was greatly simplified by submission software written by 
Mihir Bellare and Chanathip Namprempre for Crypto 2000, and review software 
developed for EUROCRYPT 2000 by Bart Preneel, Wim Moreau, and Joris 
Claessens. 

I am very grateful to Andre Adelsbach. Skillfully and patiently, he carried the 
main load of background work of the Program Chair, in particular in setting up 
the submission and review servers, providing technical help to the authors and 
committee members, and in the preparation of these proceedings. I would also 
like to thank Michael Steiner and Martin Wanke for technical support, Matthias 
Schunter for organizing the program committee meeting, and Mihir Bellare and 
Michael Waidner for advice. 
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Birgit Pfitzmann 
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A Memory Efficient Version of Satoh’s Algorithm 



Frederik Vercauteren*, Bart Preneel, and Joos Vandewalle 



K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC, 

Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium. 

{Frederik . Vercauteren, Bart . Preneel , Joos . VandewallejOesat .kuleuven. ac .be 



Abstract. In this paper we present an algorithm for counting points 
on elliptic curves over a finite field Fpn of small characteristic, based on 
Satoh’s algorithm. The memory requirement of our algorithm is O(n^), 
where Satoh’s original algorithm needs 0{n^) memory. Furthermore, our 
version has the same run time complexity of 0(n®”''®) bit operations, but 
is faster by a constant factor. We give a detailed description of the algo- 
rithm in characteristic 2 and show that the amount of memory needed 
for the generation of a secure 200-bit elliptic curve is within the range of 
current smart card technology. 

Keywords: elliptic curve, finite field, order counting, Satoh’s algorithm 



1 Introduction 

In 1985 School [1 2] described a polynomial time algorithm for counting the num- 
ber of points on an elliptic curve E defined over a finite field F^, with q = p^. The 
run time of the algorithm is 0(log^^'^ q) bit operations using fast arithmetic and 
the memory requirements are 0(log^ q). Improvements by Elkies p] and Atkin 
led to the so called Schoof-Elkies- Atkin algorithm with a run time of q) 

bit operations and further work by Couveignes m and Lercier [3| extended 
this SEA-algorithm to work in small characteristic. Csirik ^ implemented a 
reduced memory version of the algorithm. Recently Satoh [HI described a new 
algorithm for small characteristic p > 5 with run time and memory com- 

plexity 0{v?). Skjernaa and Fouquet, Gaudry and Harley [Z] independently 
extended Satoh’s algorithm to characteristic 2. 

In this paper we present a new version of Satoh’s algorithm which still runs 
in bit operations, but only needs 0{n?) memory. The algorithm works 

for all small characteristics and is even faster than the original algorithm by a 
constant factor of about 1.5. Furthermore, the algorithm can be easily paral- 
lelized. We give a detailed description in the characteristic 2 case and present 
run times and memory usages of our implementation for elliptic curves in the 
range of interest to cryptography. The given data show that it now becomes 
feasible to compute the group order of a 200-bit elliptic curve on a smart card. 

* F.W.O. research assistant, sponsored by the Fund for Scientific Research - Flanders 
(Belgium). 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 1-C3I 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 



2 Frederik Vercauteren, Bart Preneel, and Joos Vandewalle 

The remainder of the paper is organized as follows: after a brief review of 
Satoh’s original algorithm in section 2, we outline our 0{n^) memory version 
in its most general form in section 3. In section 4 we specialize this algorithm 
to the characteristic 2 case and give ready to implement pseudo-code. Section 5 
discusses details of our implementation and contains run times and memory 
usages for field sizes relevant to cryptographical applications. 

2 Satoh’s Algorithm 

Let E be an elliptic curve over F^, with q = p^. The number of points ^E{¥g) 
satisfies the well known relation ^E{¥g) = q + 1 — t, where t is the trace of the 
Frobenius endomorphism F : E — >■ E : {x, y) i— >■ y^). By Basse’s theorem 0 

we have |f| < 2yfq. 

The basic idea of Satoh’s algorithm is to lift both the curve E and the 
Frobenius endomorphism F to the valuation ring 7^ of a degree n unramified 
extension /C of the p-adic field Qp. Since this lifting is done in a canonical way, 
the trace of the lifted Frobenius T equals the trace of Frobenius t. However, 
the Frobenius endomorphism F itself is difficult to lift because it is inseparable. 
Therefore one actually works with the dual of the Frobenius endomorphism F’, 
called the Verschiebung F. This Verschiebung is separable if and only if E is 
non-supersingular and can be lifted explicitly by lifting its kernel. Analyzing the 
action of the lift JF of F’ on the formal group of the canonical lift E, we obtain 
an expression for the trace of T which equals the trace of Frobenius t. 

2.1 The Canonical Lift of an Elliptic Curve 

The main step in Satoh’s algorithm is lifting the curve E and the Verschiebung F 
to the valuation ring 72. of a degree n unramified extension K. of Qp. Among the 
many possible lifts of E from Fg to 72 there is one which has particularly nice 
properties, called the canonical lift. The canonical lift F of a non-supersingular 
elliptic curve E over Fg is an elliptic curve over /C which satisfies the following 
two properties: the reduction modulo p oi £ equals E and End(Fl) = End(F) 
as a ring. Deuring ^ has shown that the canonical lift £ always exists and is 
unique up to isomorphism. Furthermore, a theorem by Lubin, Serre and Tate mu 
provides an effective, but slow algorithm to compute the j-invariant of £ given 
the j -invariant of E. 

Theorem 1 (Lubin-Serre-Tate) Let E be a non-supersingular elliptic curve 
over¥g with j-invariant j{E) G Fg\Fp 2 . Denote with S the Frobenius substitu- 
tion on 72 and with <Pp(X,Y) the p-th modular polynomial. Then the system of 
equations 



<Pp{X, S{X)) = 0 and A = j{E) mod p, (1) 



has a unique solution J £ 72, which is the j-invariant of the canonical lift £ 
ofE. 
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Note that it is possible to solve the system of equations (0) directly, but this 
would lead to a slow algorithm because of the explicit computation of S. A 
detailed description of the Frobenius substitution S and its computation can be 
found in [T^ . 

The hypothesis j{E) ^ Fp 2 in Theorem^is necessary to ensure that a certain 
partial derivative of <l>p does not vanish modulo p. This condition is necessary to 
guarantee the uniqueness of the solution of equation Q. The case j{E) e F ^2 
can be handled very easily using Weil’s theorem: since j{E) G Fp2 there exists 
an elliptic curve E' defined over Fpm with m = 1 or m = 2, which is isomorphic 
to E over F,. Let tk = + 1 — #if'(Fpmfc) then tk+i = titk — p^tk-i with 

to = 2 and therefore ^E{¥g) = p" + 1 — tn/m- So in the remainder of the paper 
we can assume j(E) ^ Fp 2 and in particular that E is non-supersingular. 

Let a : E — )> : (cc,p) !->■ (x^,yP) be the p-th power Frobenius morphism, 

where E'^ is the curve obtained by raising each coefficient of E to the p-th power 
and let a be the dual of a. Repeatedly applying a gives rise to the following 
cycle 

S'o di o-„-2 d-n-i 

Eq ► El ► • • • >- En-i >- Eq , 



with E(^n-i) = E'^ and ai the dual of Oi : ifi+i — > Ei : (x,y) i— >■ {x^,y^). Com- 
posing these, we see that F = (T„_i0i7„_2 0. . .oo-q. Instead of lifting E and F di- 
rectly, the crucial insight of Satoh was to lift the whole cycle {Eq, Ei, . . . , En-i) 
simultaneously leading to the diagram 



^0 El Sn-2 En-1 

£q £i ► • • • ^ £o 



Co Cl C„_2 C„_l 

Eq El ►••• En-l 



( 2 ) 



with £i the canonical lift of Ei and Ei the corresponding lift of ai. The theorem 
of Lubin, Serre and Tate implies that the j-invariants of £i satisfy 

^p{j{£i)J{£i+i)) = 0 and j(£i) = j{Ei) mod p, (3) 

for t = 0, . . . , n - 1. Define 0:71^ — ^ by 

O{xo,xi, . . . ,Xn-l) = i<Pp{xo,Xi),<Pp{Xi,X 2 ), ■ ■ ■ , ^p{Xn-l , Xq)) , (4) 

then clearly we have O{j{£o),j{£i), ■ ■ ■ ,j{£n-i)) = (0, 0, . . . , 0). Using a multi- 
variate Newton iteration on 6 >, we can lift the cycle {j{Eo),j{Ei), . . . ,j{En-i)) 
to 7^" with arbitrary precision. The iteration step is given by 



(Jo, Jl, . . . , Jn-l) G- (Jo, Jl, . . . , Jn-l) ~ ( (D0) " ^0) ( Jq , Jl , . . . , J„_l), (5) 
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with DO the Jacobian matrix 



/ ^ 

dX 



{Jo, Ji) 



0 



dY 

d^p 

dX 



{Jo, Ji) ■ ■ ■ 
{Ji, J 2 ) ■ ■ ■ 



0 

0 



\ 



{D0){Jo, Jl, ■ ■ ■ , Jn-l) — 



0 0 

{Jn-l, Jo) 0 

The p-th modular equation satisfies the Kronecker relation 

<Pp{X, Y) = {XP -Y){X- YP) mod p (7) 

and since j{Ei) ^ Fp 2 and j{Ei) = j{Eij^i)P mod p, this leads to the following 
equations 



dY 



{Jn—2, Jn—l) 






Q-^{Jn-l,Jo) J 



( 6 ) 



[ - j{E^+l) ^ 0 mod p, 

I d<Pr, 

[ -^{j{Ei),j{E^+l)) = j{Ei+i)P - j{E,+i)P = 0 mod p. 

The above equations imply that the Jacobian matrix (iJ0)( Jq, J\, ■ ■ ■ , Jn-i) is 
invertible over TZ and therefore we see {{D0)~^0){Jq, Ji, - ■ ■ , Jn-i) G Since 
Newton iteration has quadratic convergence, we can compute Ji = j{£i) mod p^ 
with logiV iterations. 



2.2 The Trace of Probenius 

The canonical lift f of a non-supersingular elliptic curve E over Fg has the 
property that End(i?) = End(F). Therefore we have Tr(E) = Tr(iF), where F 
is the Frobenius endomorphism on E and T the image of F under the ring 
isomorphism End(E) = End(£’). Furthermore, the trace of an endomorphism 
equals the trace of its dual, so Tr(E') = Tr(F) = Tr(iF) = Tr(iF). The following 
proposition by Satoh m gives a very simple relation between the trace of T and 
the leading coefficient of the endomorphism induced by J- on the formal group 
of F. 

Proposition 1 (Satoh) Let £ he an elliptic curve over K. and let f G EndK(F) 
be of degree d. Denote with t the local parameter of £ at O and assume that 
the reduction 7r(/) of f modulo p is separable and that /(Ker(7r)) C Ker(7r). Let 
f{r) = ct + 0{t^) be the homomorphism induced by f on the formal group of £, 
then Tr(/) = c J- 
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Since the Frobenius endomorphism F is inseparable, we cannot apply the above 
proposition to T . However, for a non-supersingular curve the Verschiebung F 

is separable and we have Tr(F) = Tr(iF) = c -I- | with F{j) = cr -I- 
Diagram @ shows that F can be written as F = Sn-\ o Sn -2 o ■ ■ ■ o Sq and 
therefore we can compute c as the product of the leading coefficients of the 
morphisms induced by Ei. More precisely, let Ci be defined by r^+i o Ei = 
CiTi + O(t^), with Ti the local parameter of £i at O, then c = rio<i<n Since 
F is separable, c will be non-zero modulo p and we conclude 

Tr(F") = Ci mod q. (9) 

0<z<n 

The final step in Satoh’s algorithm is to compute the coefficients c^, based on 
the equations for Ei and and the kernel of 17^, using Vein’s formulae 
The equations for Ei and fi+i can be easily computed via a univariate Newton 
iteration, since we already know their j-invariants. The isogenies bi and Ei are 
separable and of degree p, so bi can be explicitly lifted to Ei by lifting its kernel. 
This kernel is a subgroup of the p-torsion group of E. The case p > 5 is discussed 
in dl and proceeds by lifting a factor of the p-th division polynomial using a 
Hensel lift. The cases p = 2, 3 can be found in jvil4) and are handled by lifting 
a single non-trivial torsion point using a Newton iteration. 

2.3 Complexity 

According to Basse’s theorem we have |t| < 2yq. Therefore it suffices to lift all 
the data with precision ~ n/2. Since elements of 72. mod p^ can be represented 
as degree n polynomials with coefficients in Z/p^Z and since N = 0{n), every 
element will take 0{iF) memory for fixed p. For each curve Ei with 0 < z < n 
we need 0(1) such elements, so the total memory required is O(n^). To lift 
the cycle of j-invariants with precision N, we need logA^ iterations. Working 
with the lowest possible precision in every iteration, the lifting of the cycle of 
j-invariants amounts to 0{nM{ri^)) bit operations, where M{m) is the time to 
multiply two m-bit objects. The computation of one coefficient Ci needs 0(1) 
multiplications, so to compute all Ci we also need 0{nM{n?)) bit operations. 
Therefore the total run time of Satoh’s algorithm is 0{nM{n^)) bit operations 
or using fast multiplication techniques. 

3 An 0{p?) Memory Algorithm 

In this section we present a new version of Satoh’s algorithm, which requires 
only 0{iF) memory and still runs in bit operations. The basic idea is 

very simple: the trace of Frobenius t can be computed as t = no<i<n mod q 
and the Ci only depend on Ei and Ei+\. So the main problem of Satoh’s original 
algorithm is that it lifts all j-invariants simultaneously, instead of lifting one 
j-invariant at a time. Note however that lifting all j-invariants simultaneously is 
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exactly what makes Satoh’s algorithm efficient, because this avoids slow Frobe- 
nius computations in TZ. Thus if we would like our algorithm to run in 
bit operations and only use 0{v?) memory, we have to find a method to lift one 
j-invariant without using Frobenius computations. 

Our strategy is as follows: the j-invariants j{Si) and j{Si+i) satisfy the fol- 
lowing relations 



= 0i j{£i) = mod p and j(£'i+i) = j{Ei+i) mod p. 

( 10 ) 

Suppose we have = mod p^ to our disposal, then we can compute 

Ji = j(£i) mod p^ using a univariate Newton iteration on This 

iteration is given by 



Ji ^ Ji 



J^p{Jiy Ji+l) 



d'Pp 

dX 



(^Jij Ji-\-l^ 



( 11 ) 



and we can use j{Ei) = j{£i) mod p as an initial approximation. Since J>p{X, Y) 
satisfies the Kronecker relation, ^^-{Ji, Ji+i) will be invertible in TZ. Note that 
we are forced to walk backwards in the cycle, since Jj+i) = 0 mod p. 

Applying this method repeatedly, one easily sees that it suffices to compute one 
j-invariant with precision N, e.g. Jo = j(£o) rnod p^ . To solve this last problem, 
we analyze in detail the properties of a bivariate polynomial, which satisfies the 
same relations as J>p{X,Y). 



Proposition 2 Let K. he an unramified extension of Qp and denote with TZ its 
valuation ring. Let g € TZ[X,Y] and assume xo,po G E. such that 



5 (a^o, 2 /o) = 0 mod p, ^(xq, po) ^ 0 mod p and ^(xo, po) = 0 mod p. 

( 12 ) 



Then the following properties hold: 

1. For every y G TZ with y = yo mod p there exists a unique x G TZ such that 
X = xo mod p and g{x, y) = 0. 

2. Let y' GTZ with y = y' mod p^ , M >1 and let x' G TZ be the unique element 
with x' = Xo mod p and g{x' , y') =0. Then x' = x mod p^+^. 

Proof : 

1. Define h G TZ[X] by h{X) = g{X,y). Then /i(xo) = 0 mod p and h'{xo) = 
§x{xo,yo) mod p. Therefore, h'{xo) ^ 0 mod p and Hensel’s lemma guar- 
antees the existence of a unique x G TZ such that h{x) = g{x,y) = 0 and 
X = Xo mod p. Furthermore, given y, one can compute x with arbitrary 
precision using a univariate Newton iteration on g{X, y) with xo mod p as 
an initial approximation. 
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2. Define 5x = x' — x and Sy = y' — y. Clearly 6x = Sy = 0 mod . Writing 
out the Taylor series of g{X, Y) = ^ ^ leads to 

0 = g{x', y') = g{x + 4, y + 6y) 

= ^ + SxTiy + SyY 

^ (13) 

= X] + ix''-^5x + 5lRx{x)){y^ + jV "My + SlRy{y)), 

with Rx,Ry polynomials with coefficients in TZ. Since = 6 y = 0 mod p^^ 
and M > 1 we get 

0= ^{x,y){x - x') + ^{x,y){y - y') mod (14) 

The above equation implies x = x' mod since Sy = 0 mod p^ , 

§y(x, y) = 0 mod p and §^{x, y) ^ 0 mod p. □ 

Repeatedly applying Proposition |2| leads to a very simple iterative algorithm to 
compute Jo = j(iSo) mod p^ . Starting with Jjv-i = jAn-i) mod p, we compute 
Jn -2 = j{£N- 2 ) mod p^ using a Newton iteration on <Pp(X, similar to 

equation ITTl More generally, given = j{£N-i+i) mod we determine 

Jn-i = j{£N-i) mod pb After N — 1 steps we reach Jq = j{£o) mod p^ . 
Combining these ideas finally leads to algorithm Satoh_Low_Memory. 



Algorithm 1 (Satoh_Low_Memory) 

IN: A j -invariant j G Fp" \ Fp2 of an elliptic curve E. 

OUT: The trace of Frobenius t = g + 1 — ffE(¥q) of E. 

1. Compute J = j{£) mod p^ with N > n/2 + 1 from Jn-i = j{SN-i) mod p 

with N — 1 Newton iterations m 

2. Set = 1,- 

3. For i = 1 To n Do 

3.1. Compute J' = j{£n-i) mod p^ using a Newton itern,tion \ t ?l on <Fp[X, J); 

3.2. Compute the square A-i mod p^ of coefficient Cn-i mod p^ ; 

3.3. Set c? = c? X Cn-i and J = J' ; 

4 . Compute c = \/(? mod p^ with the correct sign; 

5. Return t = c mod . 
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The memory requirement of algorithm Satoh_Low_Memory is O(n^) for p fixed: 
every element in TZ mod takes memory, and the algorithm needs 0(1) 

such elements. Therefore, the total memory required is 0{ii?). 

Lifting one j-invariant to precision N and computing one coefficient Ci can 
be done with 0{M{n^)) bit operations, so the loop in step 3 takes 0{nM{n?)) 
bit operations. Since the j-invariant in step 1 is computed using N Newton 
iterations with varying precision i = 2, .. . ,N, the total cost of step 1 is trivially 
bounded by 0{nM{n?)) bit operations. We therefore conclude that our version 
still runs in 0{nM{n'^)) bit operations or using fast arithmetic. 

4 Algorithms in Characteristic 2 

In this section we specialize the O(n^) memory algorithm of the previous sec- 
tion to the characteristic 2 case, which from a practical point of view is most 
important. 

Let E be an elliptic curve over a finite field Fg, with g = 2" and j{E) ^ F 4 . 
It is well known that either E or its quadratic twist is isomorphic over Fg with 
an elliptic curve given by an equation of the form y'^ + xy = + a, with a G ¥*. 

Therefore, we can restrict ourselves to this case. 

Let /C be a degree n unramified extension of Q 2 and TZ its valuation ring. 
Then TZ is isomorphic to Z 2 [T]/(/(T)), with / G Z 2 [T] a monic polynomial of 
degree n such that its reduction modulo 2 is irreducible in F 2 [T]. In practice all 
computations are carried out in the ring TZ mod 2^, which can be represented 
as (Z/ 2 ^Z)[T]/(/(T)). 

4.1 Lifting the j-Invariants 

For 1 < i < n define the elliptic curve E^ by the equation y^ + xy = x^ + 
and let £i be the canonical lift of Ei . Using Proposition 0 we can compute 
Ji = j{Ei) mod 2 ^, starting from = j{Ei^i) mod 2 ^“^, using a univariate 
Newton iteration on the polynomial <? 2 (^) Ji+i)i with 

^2{X,Y)=X^ + Y^-X^Y^ + U88{XY^ + X^Y)- 162000{X^ + Y^) 

+ 40773375XU -k 8748000000(X -k U) - 157464000000000. ^ ’ 

Algorithm Lift_Previous_J_Invariant computes coefficients A, B,C G TZ mod 
2 ^, such that 



^ 2 {X, J*+i) = -k AX^ + BX + C mod 2^, (16) 

and then calls the recursive algorithm Lift_Previous_J_Invarieint_Rec which 
performs the Newton iteration on the cubic polynomial X^ -k AX"^ -k BX -k C. 

With every call of algorithm Lift_Previous_J_Invariant we gain 1 bit of 
precision, so if we would like to compute Jq = j{£o) mod 2^ then it suffices to 
start with i{EN-\) = j{£N-i) mod 2 and iterate this algorithm N — 1 times, 
which immediately leads to algorithm Lift_First_J_Invariaint. 
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Algorithm 2 (Lif t_Previous_J_Invariant) 

IN: Ji+i e IZ mod 2^ with Ji+i = j{£i+i) mod 2^ ^ and a precision N. 
OUT: Ji £lZ mod 2^ with Ji = j{£i) mod 2^. 

1. A= -Jf+i + 1488Ji+i - 162000 mod 2^; 

2. B= 1488Jf+i + 40773375Ji+i + 8748000000 mod 2^; 

3. C = Jf+i - 162000 Jf+i + 8748000000 Ji+i - 157464000000000 mod 2^; 

4- Ji = Lift_Previous_J_Invariant_Rec ( Ji+i, A, B, C, N) ; 

5. Return Ji. 



Algorithm 3 (Lif t_Previous_J_Invariant_Rec) 

IN: Elements Ji+i, A, B,C G TZ mod 2^ with Ji+i = j{£i+i) mod 2^~^, 
<I> 2 {X, Ji+i) = + AX"^ + BX + C mod 2^ and a precision N . 

OUT: An element Ji £lZ mod 2^ with Ji = j{£i) mod 2^ . 



1. If N = 1 Then 



1.1. Ji — mod 2; 
2. Else 



2.1. N=\X]; 

2.2. Ji = Lift_Previous_J_Inv_Rec(Ji+i, A, B, C, N'); 



Jf + Ajf + BJi + C 
3 J2 + 2AJi + B 



mod 2^ ; 



3. Return Ji. 



Algorithm 4 (Lif t_First_J_Invariant) 

IN: A j -invariant jo G F2« \ F4 and a precision N . 

OUT: Jo £IZ mod 2^ with Jo = jo mod 2 and <l>2{Jo, E{Jo)) = 0 mod 2 ^ . 

1. Jo=3o mod 2; 

2. For i = 2 To A Do 

2.1. Jo ~ Lift_Previous_J_Invariant ( Jo, i) ; 

3. Return Jq. 
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4.2 Computing the Trace 

In this section we give an explicit formula for the first coefficient Ci of the formal 
group expression of Si. This suffices to compute the trace of Frobenius t, since 
t = Ci mod q. 

The following proposition gives an expression for cf in terms of the j-invariant 
of Ei and the x-coordinate of the non-trivial point in Ker(i7i). Since Si is sepa- 
rable and of degree 2, its kernel is a subgroup of order 2 of the 2-torsion points 
and therefore contains exactly one non-trivial point. The proposition is adapted 
from m-- the proof is exactly the same, but the given formulae have been sim- 
plified as much as possible. 

Proposition 3 Let Ti = —XjY be the loeal parameter of Ei at O and let Ci be 
defined as o Si = CiTi + 0{rf). Denote the non-trivial point in Ker(H'i) by 
Qi = (xi,yi) and let Zi = Xij2 and ti = ( 120 ? -|- Zi){j{Ei) — 1728) — 36, then 

2 j(^^)-(5O4+12O960,)^^ 

j{Ei) + 2AQU ■ ^ ^ 



Algorithm 5 (Compute_Trace) 

IN: A j -invariant j G F 2 " \ F4 of an elliptic curve E. 

OUT: The trace of Frobenius t = q -\- 1 — -jfEiWq) of E. 

1. A= [f] -kl3;M = A-10; 

2. J = Lif t_First_J_Invariant (j, A); 

3. CN = 1; CD = 1; 

4- For i = 0 To n — 1 Do 

4-1. J' = Lif t_Previous_J_Invariant ( J, A); 

(j2-kl95120J-F4095J'-t 660960000)/2i2 

J(563760- 512J') + 372735J' -k8981280000)/29’ 

4 . 3 . T = (12^2 -t Z){J' - 1728) - 36; 

4 . 4 . CN = CN X (J' - (504 -k 12096Z)T); 

4 . 5 . CD = CDx (240T -k J'); 

4 . 6 . J = J'; 

5. t = SqrtCCA/CH, 1, M) mod 2^"S- 

6. If t> 2^ Then t = t- 

7. Return t. 
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Thus to compute cf, we need an expression for half the x-coordinate of the 
non-trivial point Qi G Ker(ifi). Again we follow jl4j . but considerably simplify 
the formula for Zi. 

Proposition 4 Let Qi = {xi,yi) be the non-trivial point in Ker(T'i) and let 
Zi = Xij2, then 

{j{£i+if + 195120j(£*+i) + 4095j(fz) + 660960000) 

~ ~(j(^z+i)2+j(fi+i)(563760-512j-(£’z))+372735j(^^*)+8981280000)/29' 

(18) 

Combining the above propositions we can compute = nr=o^ ■ Since 
the trace of Frobenius t satisfies t = c mod q and |t| < 2y^, we have t = 

c mod 2 1" “ 2 “ 1 . The 2-adic square root can be found via a Newton iteration for 
the inverse square root, i.e. via a Newton iteration on s(X) = — 1. Clearly, 

we have s(l/c) = 0 and s'(l/c) = 0 mod 2. Furthermore, c = 1 mod 4, since 
E has a point of order 4 and thus s'(l/c) ^ 0 mod 4. The vanishing of s'(l/c) 
modulo 2 means that we lose exactly one bit of precision in the computation 
of the square root and therefore we need to compute modulo 2 1" ^ 1 . Substi- 
tuting the expressions for Zi and ti in cf, we see that we have to determine the 
j-invariants j{£i) with precision This finally leads to the main algo- 

rithm Compute_Trace. In step 5 we use the function Sqrt, which computes the 
2-adic square root of with precision M, such that c = 1 mod 4. 

5 Implementation 

In this section we give practical run times and memory usages of both the original 
Satoh lifting-algorithm combined with the simplified formulae taken from m 
and our 0{n^) memory version for elliptic curves in the range of interest to 
cryptography. Both algorithms have been implemented in the C programming 
language on a AMD Thunderbird 1 GHz PC with 384 MB of main memory, 
running Linux Redhat 6.2. All programs were compiled using the gcc compiler, 
version 2. 7. 2. 3. Before giving the actual results we make some comments on our 
implementation. 

Since efficiency was our main goal, we have written the basic operations on 
multiple precision integers in assembly. These include: addition and subtraction, 
shift left /right and the multiplication of a multi-precision integer by a word. To 
minimize the loop overhead for small multiple precision integers, i.e. integers 
which fit in four words or less, we implemented unrolled versions of the above- 
mentioned operations. 

Elements of F 2 " are represented with respect to a standard polynomial basis, 
i.e. as polynomials over F 2 modulo a degree n irreducible polynomial /. By choos- 
ing / as a trinomial or a pentanomial, reduction modulo / becomes very efficient. 
The same polynomial / is used to construct 72. mod 2^ as (Z/2'^Z)[T]/(/(T)). 
Multiplication of two elements in 72 mod 2^ is implemented using Karatsuba’s 
trick in the polynomial dimension and classical multiplication for the coefficients. 
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In Table 1 we compare the characteristic 2 version of Satoh’s original algo- 
rithm with our O(n^) memory version for finite fields F 2 »» relevant to crypto- 
graphical applications. The data in this table show that our algorithm is faster 
by a constant factor of about 1.5 and that the memory requirements are con- 
siderably lower than for Satoh’s original algorithm. We note that our current 
implementation is more optimized towards speed than it is towards minimizing 
memory usage. Therefore it would be possible to lower the memory requirements 
by another 30%. Since a smart card typically has 32 KB of memory (in the near 
future this will be 64 KB), it becomes feasible to generate secure elliptic curves 
on a smart card. 



Table 1. Run times and memory usage of Satoh’s algorithm versus the O(n^) memory 
version on an AMD 1 GHz 



Field size n 


Original Satoh 


1 O(n^) memory version | 


Time (s) 


Memory (KB) 


Time (s) 


Memory (KB) 


160 


5.43 


315 


3.17 


30 


180 


9.11 


534 


5.64 


44 


200 


11.8 


650 


7.41 


48 


220 


15.4 


790 


9.83 


54 


240 


28.1 


1162 


15.8 


73 


260 


36.0 


1371 


20.3 


80 


280 


44.1 


1574 


25.1 


86 


300 


64.3 


2180 


39.2 


109 


340 


88.7 


2790 


55.3 


125 


380 


133 


4052 


82.7 


162 


420 


195 


5643 


123 


197 


460 


244 


6756 


154 


224 


500 


400 


8964 


225 


275 



6 Conclusion 

In this paper we have presented a new version of Satoh’s algorithm which only 
needs 0{n?) memory, where the original algorithm needs 0{n^) memory. Fur- 
thermore, we showed that our algorithm still runs in bit operations, 

which equals the run time complexity of Satoh’s original algorithm. Our version 
relies on univariate Newton iterations where Satoh also uses multivariate New- 
ton iterations. In our implementation, this resulted in a speed-up of a factor of 
about 1.5. As a result of the O(n^) memory complexity, it now becomes feasible 
to generate secure elliptic curves on a smart card. 
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Abstract. The use of elliptic curves in cryptography relies on the ability 
to count the number of points on a given curve. Before 1999, the SFA 
algorithm was the only efficient method known for random curves. Then 
Satoh proposed a new algorithm based on the canonical p-adic lift of 
the curve for p > 5. In an earlier paper, the authors extended Satoh’s 
method to the case of characteristics two and three. This paper presents 
an implementation of the Satoh-FGH algorithm and its application to the 
problem of finding curves suitable for cryptography. By combining Satoh- 
FGH and an early-abort strategy based on SEA, we are able to find secure 
random curves in characteristic two in much less time than previously 
reported. In particular we can generate curves widely considered to be as 
secure as RSA-1024 in less than one minute each on a fast workstation. 



1 Introduction 

Since elliptic curve cryptosystems were first proposed in the mid-eighties by 
Koblitz |Kob87) and Miller pUzl, their efficiency and security have been the 
focus of intense study. In recent years, they have become widely accepted as 
an alternative to cryptosystems based on factorisation or discrete logarithms in 
finite fields, especially for constrained environments. 

One of the initial steps in protocols based on elliptic curve cryptography is to 
generate a suitable curve defined over a finite field. To ensure that the system is 
secure, the curve must be chosen to have a number of points which is divisible by 
a large prime so that computing discrete logarithms on the curve is intractable 
using known attacks. Hence it is necessary to know the cardinality of the curve. 

Among the elliptic curves defined over a given finite field, there are some 
classes of curves with particular properties that are useful for counting points 
or for accelerating arithmetic operations occurring in the protocols. However 
choosing such curves can be dangerous. 

Perhaps the most striking example is trace 1 curves. The number of points 
over Fg is simply q. However Smart |Sma99| . Satoh- Araki [SA98| and Semaev 
fSem98| independently discovered a polynomial-time attack. 

Another attack due to Menezes-Okamoto-Vanstone IMOVilll . and gener- 
alised by Frey-Riick IFHMI . reduces discrete logs on supersingular and trace 
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2 curves to discrete logs in a small-degree extension of F^. This yields an algo- 
rithm that runs in sub-exponential time. 

A minor weakness is known for curves with many automorphisms EDM, 
EUg, m(iM99i including curves defined over a small subfield, proposed by 
Koblitz, and some complex-multiplication curves. Attacks on these curves take 
less time than for generic curves, but remain in exponential time. 

It has recently been shown by Gaudry-Hess-Smart IGHMOOl that curves de- 
fined over composite extension fields are also weak in certain cases, using a 
reduction via hyperelliptic curves. 

These results suggest that for maximum security one should avoid curves 
with special properties and instead choose a random curve whose number of 
points is divisible by a large prime, over a prime field or an extension of prime 
degree. This ideal procedure was made possible in practice by the SEA algorithm 
due to Schoof jSdl^, Elkie s Atkin and others {DM 

PM, HM, !ber97aj . |VmT^. |Dew98j . etc. With this method, counting 
points on one given curve is reasonably fast. 

However finding a cryptographically suitable curve requires testing many 
curves and this takes much more time. For instance, Johnson and Menezes f.lM99| 
recently described this process as a “complicated and cumbersome task” requir- 
ing “a few hours on a workstation” for 200 bits. 

Recently, a new algorithm for counting points on curves in small character- 
istic p > 5 was designed by Satoh | ISat00| and we extended it to characteristics 
two and three in !fghoo| . An independent extension to characteristic two is 
described by Skjernaa |Skj| . 

Satoh’s algorithm is asymptotically superior to SEA for fixed p, requiring 
0(log^“'’'^ q) deterministic time, instead of 0(log'*“''^ q) under reasonable hypothe- 
ses. As demonstrated in |FGH00| . the Satoh-FGH algorithm is much faster in 
practice in characteristic two. Indeed we were able to count points over much 
larger fields (up to 8009 bits) than had previously been possible, and could match 
the largest size reached with SEA (i.e. 1999 bits) in just three hours. 

In the following we will describe a method for generating cryptographically 
suitable curves, over fields of 113 to 571 bits, using an implementation of the 
Satoh-FGH algorithm combined with an efficient early-abort strategy based on 
ideas from SEA. In this manner we reduce substantially the time required for 
curve-generation, finding suitable 200-bit curves in minutes rather than hours 
on a workstation, for instance. 

In section 0 we recall some basic facts about elliptic curves defined over finite 
fields of characteristic two. Next we review some algorithms that can be used 
to compute the cardinality of a curve, and in particular we give a description 
of the Satoh-FGH algorithm. Section 0 gives the conditions that a curve must 
satisfy in order to be suitable for cryptographic applications. It also describes the 
early-abort strategy first used by Lercier in |Ler97aj for selecting good curves. 
Last but not least we describe our implementation and the results we obtained by 
combining a more aggressive early-abort strategy and the Satoh-FGH algorithm. 
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2 Elliptic Curves over Finite Fields of Characteristic Two 

In this section, we recall some basic facts about elliptic curves defined over 
where q = 2“^. We will only be concerned with characteristic two. For more 
informations on elliptic curves, the reader can refer to |Men9d| . | ^il 8 fi| . |IjSS9fi| . 

For our purposes, we can choose the equation of an elliptic curve E (with 
non-zero j-invariant) to be: 

E : + xy = + Qq where Og G F*. 

Its twist curve is: 

77'* 2 I 3 I 2 I 

E : y + xy = X + a 2 X + og 

where G 2 is some fixed element of trace 1 . 

An important invariant of the curve is its j-invariant j{E) = l/og. In the 
following we assume j{E) ^ F 4 and in particular that curves are ordinary i.e., 
not supersingular. 

The set of points E{¥q) of the curve is: 

^(Fq) = {{x,y) G Fg I (x,y) satisfies the equation of E} U {Oe}, 
where Oe is the point at infinity. 

The Frobenius automorphism E is the map x ^ x'^ on¥q. It can be extended 
to an endomorphism of E\ 



F : E ^ E 

{x,y) !-)■ (x'J,?/'?) 

Its characteristic equation is of the form: 

- cF + q^Q. 

One can show that the number of points on E is 

N = q + \ — c, with |c| < 

where c is the trace of Frobenius on E. The bound on c is due to Hasse 
Note that 4 | N since the point {-^ 06 , y/oe) on E has order four. The number of 
points on E* is N* = q + 1 + c and one has 2 || N*. 

The little Frobenius automorphism a is the map x ^ x^ .It can be extended 
to an isogeny from E to the conjugate curve E’^ : y^ + xy = x^ + a\ as follows: 

(T : E ^ E'^ 

{x,y) {x^,y'^). 
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3 Counting the Number of Points 

3.1 The Schoof-Elkies- Atkin Algorithm 

The first polynomial-time algorithm for counting points on elliptic curves over 
finite fields was described by Schoof in IScEHn]. The basic idea is to find the trace 
of the curve modulo small primes i by studying the action of F on the f-torsion 
part of E. Restricting the characteristic equation of F to the £-torsion results in 

for each point (A, F), where eg, = c mod 1. This equality can be tested, for 
each candidate eg G [0..A— 1], by doing polynomial arithmetic modulo the 
^-division polynomial. Now, it suffices to compute cg for many small primes £ 
and then to recover the exact result using the Chinese Remainder Theorem. The 
time required for point-counting over Fg with this algorithm is 0(log^~*’^ q) using 
asymptotically fast methods for arithmetic (or 0(log® q) using naive arithmetic). 
The degree of the ^-division polynomial is 0{£'^), which grows quickly and causes 
this algorithm to be slow in practice. 

In large characteristic, Elkies and Atkin [IAtk92| improved Schoof’s 

method yielding the so-called SEA algorithm (see (SZEaSI) with run-time re- 
duced to q) (or 0(log® q)) under reasonable hypotheses. Their idea is 

to construct a factor of degree 0{£) of the division polynomial and work with it 
instead. Such a factor can be found by factoring the modular polynomial to find 
eigenspaces of the Frobenius endomorphism F restricted to E[£], 

Further work by Morain |Mor9.'ij and others led to practical implementations 
of SEA for prime fields. Couveignes extended SEA to work in small characteristic 
using the formal group or the p-torsion and Lercier found an 

efficient method for characteristic two |Ler97aj . 

3.2 The Satoh-FGH Algorithm 

Here we present our adaptation of Satoh’s algorithm to the case of characteristic 
two. The reader can find more details, including for odd characteristic, in |SatO()| 
and IKGHiyi 

The principal idea of this new algorithm is to lift if to a curve £ over a 2-adic 
ring Zg and to compute the trace of the Frobenius on £. 



Canonical Lift of the Curve. Just as F,j is obtained from F 2 by taking an 
algebraic extension modulo an irreducible polynomial f{x), one can obtain Zg 
from the 2-adic integers Zi by taking an extension modulo a polynomial g(x) 
which reduces modulo 2 to f{x). Thus we have Zg = Z 2 [x]/ {g{x)). We represent 
this situation with the following figure. 
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Z2 




A Frobenius morphism T can also be defined on In this case it is not a 
simple g-th powering operation but something much more complicated. We do 
not define it explicitly since we will never have to compute it. Similarly, there 
exists a little Frobenius morphism A. For further details on Zg and its Frobenius 
maps, see |SEES|. 

A theorem of Lubin, Serre and Tate fl ;S' I ’ti4] guarantees the existence and 
uniqueness of a canonical lifted curve E over Z, such that End(f ) = End(A), via 
a canonical lift of the j-invariant. Indeed J = j{E) is characterised by J = j{E) 
modulo 2 and <p 2 {J, E{J)) = 0, where ^2 is the 2-modular polynomial. 

A crucial part of Satoh’s contribution is an efficient algorithm for lifting j- 
invariants. Instead of lifting j{E) in isolation, he suggests lifting the whole cycle 
of conjugate j’s simultaneously. He also proposes considering the duals Ei of the 
little Frobenius isogenies instead of Ei themselves. Indeed the duals are separable 
and hence are determined by their kernel. After having lifted the j-invariants 
using Satoh’s method, we lift the coefficients of the curves and then compute the 
kernels by lifting a 2-torsion point on each conjugate curve, using the methods 
from |F(IH00| . As a result, we compute the following diagram: 

iio p W-2 Si-1 

Cq Cl ^ • • • ^ Cd-l Cq 



7T 

V 




7T 




En- 


Ci 

0 

V 

V 


■^Ed 



Here the top row is over Zg to precision and tt is reduction modulo 

2 down to Fg. 

Computing the Trace in Zq. Since traces are preserved by taking the dual 
and by canonical lifting, we have the equation: 

Tr(F) = Tr(E) = Tr(.iF). 

Moreover J- can be written as the composition 

E = Ed-1 o . . . o Sio Eq. 
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To find its trace we go to the formal groups of the curves. In formal groups, 
isogenies are represented by power series and composing isogenies is done by 
composing the power series. The first coefficient ci of the power series of T is 
related to its trace as follows: 



TrJF= Cl + — . 

Cl 

Therefore, computing the trace can be done by computing Ci, and the latter 
can be computed by composing all the power series of the 17^. Only the first 
coefficients gi of the Ei have to be determined, and this can be done with Vein’s 
formulae wm . More precisely, gf is given by an explicit formula involving the 
lifted curves and 2-torsion. Taking one of the square roots of H produces the 
trace to sufficient precision for it to be recovered exactly using Hasse’s bound. 

3.3 Description of the Algorithm 

In this section, we give a synthetic description of the algorithm. For a more 
detailed one, we refer the reader to lEE HOOj . The general procedure is: 

Procedure MainAlgorithm 

Input: An elliptic curve E defined over F^, with j{E) ^ F 4 . 

Output: The trace of the curve. 

1. Compute the cycle of d curves Ei and their j-invariants ji. 

2. Lift all the jVs simultaneously, yielding Ji. 

3. Lift each curve by lifting its qq coefficient. 

4. Lift the kernel of each Ei. 

5. Compute the trace from the lifted data. 

In this procedure, points 2, 3 and 4 concern the lifting of the cycle of curves 
and of the kernels. We will detail these first. An essential ingredient is Newton’s 
iteration for improving the ( 2 -adic) precision of a root of a function. 

Procedure LiftCurvesAnd2Torsion 

Input: A cycle of d conjugate curves, and their j-invariants. 

Output: The canonical lift of this cycle over Xq. 

1. Lift the j-invariants simultaneously using an adaptation of the Newton iter- 
ation to the multivariate case. The function to be considered acts on a 1 x d 
vector: 0{xd, . . . ,Xd-i) = (^ 2 ( 2 ^ 0 , Xi), ^ 2 ( 2 ^ 1 , CC 2 ), • • • , ^ 2 ( 2 :^-!, 2 : 0 )) and the 
initial approximation of the root is the vector (jo, ji, . . . ,jd-i) modulo 2 . 

2. Lift each curve Ei by lifting its qq coefficient, yielding Aj, using a Newton 
iteration with the function f{x) = 1 -I- J(x -I- 432x^) and the initial approxi- 
mation — IjJi modulo 16. 

3. Lift the 2-torsion point in the kernel of each Ei yielding (A,, Ij) on £i, using 
a Newton iteration based on the function f{x) = 8 x^ + x"^ + Ai with initial 
approximation l/J^+i modulo 4. 
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With these algorithms, one can perform the lifting efficiently. Once this is 
done, it remains to compute the trace of T . The equations in the following 
algorithm are derived from Vein’s formulae. 

Procedure ComputeTrace 

Input: A cycle of d curves, given by Ai, and 2-torsion abscissae W. 

Output: The trace of 

1. Compute the square of the first coefficient of the expansion of each Si in the 
formal group of £i using Vein’s formulae. The result is: 

^2 _ 1 - 252W + 19008Ai 

“ (1 + 120(W + 6X2)) 864A,+i) ‘ 

2 . Compute = Y{ 9i ■ 

3. Compute c by computing a square root of and by determining the sign 
using c = 1 mod 4. 

4 Good Elliptic Curves in Cryptography 

The security of elliptic curve cryptosystems depends on the difficulty of solving 
the elliptic curve discrete logarithm (ECDL) problem. As mentioned in the in- 
troduction, there are several attacks against curves with special properties such 
as the one against trace 1 curves, or the MOV reduction for supersingular curves, 
etc. 

For random curves, the chance that one of these methods can apply is van- 
ishingly small. However there are other attacks that work for generic abelian 
finite groups. 

The first is Pohlig-Hellman reduction EHZEl. When the group order N has 
all its prime factors small, discrete logs can be computed quickly by working in 
small subgroups. Thus for good security it is essential to pick a group whose 
order is divisible by a large prime. 

The other attacks are algorithms that run in time 0{'/N)- They include 
Shanks’ baby-step giant-step algorithm (see EM) and Pollard’s p method 
IFCT7R1 . In practice, the most difficult ECDL that has been computed is on a 
Koblitz curve over F 2109 using a distributed version of Pollard-p iFCTini . 

By extrapolating the work required to larger sizes and allowing safety margins 
for future increases in computing power, it is generally believed (see fKIPS18ti| . 
pi ADD] . I FI dp:-)] . |Sil00j ) that a random curve whose order is divisible by a prime 
of at least 160 bits will offer reasonable security, comparable to 80-bit symmet- 
ric systems or 1024-bit RSA. For applications with the highest security require- 
ments, one may take larger safety margins. 

To find a secure curve, Lercier |Ler97a,) proposed an early-abort strategy to 
use when computing the cardinality of the curve using SEA. The idea is to test 
on the flyifq-l-l — c=0 mod £. If the test is true, then we throw away the 
curve and try again with another one. Since SEA computes c mod i, this test 
is easy to implement and costs no extra run-time. In large characteristic where 
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Satoh-FGH does not apply this is still the best known method and we refer to 
the existing literature on the subject dEa, iiKNViiAi . mm . 

A difficulty that arises when designing an early-abort strategy to use with 
the Satoh-FGH algorithm is that c mod £ is not available (except for £ a power 
of p). Our solution is to implement a simplified version of SEA to determine 
whether the curve has a rational point of Atorsion or not for the first few primes 
t, as a preliminary step before launching Satoh-FGH. There is a trade-off to be 
made between the extra cost of these calculations and the benefit to be gained by 
avoiding an entire cardinality computation. In practice we found this strategy to 
be very worthwhile and obtained run-times lower than those previously reported 
in the literature. 



5 Implementation and Results 

5.1 Implementation Details 

We wrote optimised implementations of the early-abort strategy and the Satoh- 
FGH algorithm for characteristic two, in the G programming language. This 
implementation of the early-abort strategy is independant of Lercier’s one. For 
multiplication in we used Karatsuba’s algorithm; in we used Toom’s al- 
gorithm. To ensure that modular reduction took very little time, we chose the 
irreducible polynomial to be a trinomial or pentanomial. For division we used 
the binary Euclidean algorithm in Fg, and inversion by Newton iterations in 1q. 

Most of our timing tests were run on a 750 MHz EV6 Alpha. In order to 
compare results with |Ler97aj. we also ran some tests on a 266 MHz EV4 Alpha 
identical to the one Lercier used. Note that the difference between these proces- 
sors is more than what we could think by just comparing the clock speeds: for 
usual applications, the gain is by a factor of about 15. Finally we timed curve 
generation for one small field on a 275 MHz StrongARM chip. 

In the early-abort part, as explained below, the most time consuming parts 
are lazy factorizations of small-degree polynomials over Fg. The most frequent 
operation is multiplication in F^. We give relevant timings obtained on the 750 
MHz Alpha in Table E 



Table 1. Cost of a multiplication in Fq on a 750 MHz EV6 Alpha. 



Field size 


163 bits 


193 bits 


239 bits 


409 bits 


571 bits 


Cost of a multiplication in 


0.488 /is 


0.639 ps 


0.917 fis 


2.632 ps 


4.685 ps 



The most frequent operation in the point-counting part is multiplication in 
Zq . In Table 0 we give the time for one such operation at the highest 2-adic 
precision required i.e., \d/2\ -|-3 bits, for various field sizes d. These measurements 
were also done on the 750 MHz Alpha. 
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Table 2. Cost of a multiplication in Zg on a 750 MHz EV6 Alpha. 



Base field size 


163 bits 


193 bits 


239 bits 


409 bits 


571 bits 


Maximal precision 


85 


100 


123 


208 


289 


Cost of a multiplication in Zq 


0.19 ms 


0.24 ms 


0.36 ms 


4.6 ms 


8.0 ms 



Table 3. Times for point-counting on a 266 MHz EV4 Alpha 



Field size 


SEA (timings from ITjorQTbl) 


Satoh-FGH 


Ratio 


Min 


Max 


Avg 


155 bits 


58.8 s 


132 s 


86.5 s 


36.3 s 


2.4 


196 bits 


212 s 


1029 s 


308 s 


68.8 s 


4.5 


300 bits 


1519 s 


3686 s 


2434 s 


408.4 s 


6 



5.2 Counting the Number of Points on One Curve 

When computing the cardinality of a curve, one has to decide whether to use 
SEA or Satoh. Two cases have to be dealt with differently: the case of large 
characteristic and the case of small characteristic. 

The complexity of Satoh’s algorithm has a bad dependency in the character- 
istic p of the base field and when p is large, it is not efficient at all. This is due 
to the use of the modular equation for the lifting of the curves. This equation 
has 0{p^) coefficients that have to be known at least modulo Hence 

a complexity which is exponential in p appears to be unavoidable. On the other 
hand, the SEA algorithm is polynomial-time independently of p. For instance, 
Morain succeeded in counting the number of points of a curve over a field of size 

10499 + 153 [HEnSl. 

However in small characteristic Satoh’s algorithm is efficient. In particular in 
characteristic two, Satoh-FGH is clearly faster than SEA in practice. To illustrate 
the difference in speed between the two algorithms, we compare Lercier’s results 
F^erQTbj with the timings we get over the same fields, using an identical 266 MHz 
Alpha. The results are given in Table 0 We do not give minimal or maximal 
times for Satoh-FGH since the runtime of this algorithm is essentially constant 
when treating different curves over the same field. These results show that the 
bigger the field the greater the advantage for Satoh-FGH, as expected from the 
asymptotics. 

We give timings for point-counting on the 750 MHz Alpha in Table El Most 
of the field sizes that we chose are recommended in cryptographic standards 
(ANSI X9.63, IEEE PI363, IPSec, NIST, WAP). 

Remark: In some cases, the SEA and Satoh-FGH algorithms can be combined 
to speed-up point-counting. This works particularly well when the field size is 
such that the maximum precision required in Satoh-FGH is a little more than 
a multiple of the machine word-size. A good example is q = 2^®^: the maximum 
precision in the lifting calculations is +3 = 129 bits. In this case, computing 
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Table 4. Times for point-counting on a 750 MHz EV 6 Alpha 



Field size 


Satoh-FGH 


Field size 


Satoh-FGH 


Field size 


Satoh-FGH 


157 bits 


2.39 s 


197 bits 


4.45 s 


283 bits 


26.5 s 


163 bits 


2.76 s 


233 bits 


6.57 s 


409 bits 


76.3 s 


193 bits 


4.10 s 


239 bits 


6.94 s 


571 bits 


257 s 



the trace modulo 3 with the SEA algorithm allows the precision to be reduced 
to 128 bits which fits perfectly in a whole number of words. This approach could 
certainly be pushed further, although implementation complexity would appear 
to outweigh the moderate gain in speed. 

5.3 Finding a Good Curve 

The naive strategy to find a curve suitable for cryptographic use is to count the 
number of points for many curves, until one with almost prime order is found. 
As mentioned before, if the SEA algorithm is used then many bad curves can be 
detected early; this nice property does not hold for the Satoh-FGH algorithm. 

Hence, for small to medium sizes, the naive strategy using Satoh-FGH is not 
better than the early-abort strategy with SEA. For instance over F2155, Lercier 
IberhThI was able to select the good curves among a set of 1000 random ones 
in 14112 seconds. On the same computer, the Satoh-FGH method takes 36.5 
seconds per curve, so that selecting the good ones would take 36500 seconds 
with the naive strategy, and would be worse by a factor 2.5. (For larger sizes, 
this phenomenon vanishes and Satoh-FGH is always better.) 

To counter this, we take advantage of both methods: we first eliminate many 
candidate curves by an early-abort strategy based on SEA’s techniques, and then 
run Satoh-FGH on the remaining ones. 

Let A be a curve over F^. For a small prime I, E is called £-good if its order 
is coprime to i, and Gbad otherwise. Early-abort works as follows for each t. 

1. Gompute the number of roots of j{E)). It can be 0, 1, 2 or £-|- 1. (The 
cases 1 or £ -I- 1 cannot occur unless <7 is a square modulo £.) 

2. If there are no roots, E is £-good. 

3. Otherwise, for each root of (!>g, build the corresponding factor of the ^division 
polynomial and search for a root x of the factor. If there is such an x in F^ 
and a corresponding y too, then (a:, y) is an Gtorsion point over F^ and E is 
£-bad. 

4. Otherwise E is £-good. 

The major cost in step n]is that of computing X‘^ modulo (1>({X, j{E)), which 
has degree £ -I- 1. To accelerate the calculation, we replace (l>g by the canonical 
modular polynomial which has the same degree but is sparser and involves 
lower powers of j. We refer to |Alor95| for the construction and the properties 
of these equations. 
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Table 5. Average runtime for checking if E is Agood (EV6 - 750 MHz) 





g = 2 


W3 


q = 2 


239 


£ 


Root finding 

of mx,j) 


Average 
total time 


Root finding 
of mx,j) 


Average 
total time 


3 


0.17 ms 


0.17 ms 


0.28 ms 


0.28 ms 


5 


0.34 ms 


0.38 ms 


0.61 ms 


0.68 ms 


7 


0.34 ms 


1.18 ms 


0.56 ms 


2.18 ms 


11 


4.42 ms 


6.93 ms 


9.14 ms 


14.1 ms 


13 


1.07 ms 


4.19 ms 


1.94 ms 


8.36 ms 


17 


3.71 ms 


8.63 ms 


7.34 ms 


17.9 ms 


19 


4.97 ms 


11.6 ms 


10.1 ms 


23.7 ms 



Heuristically, in half of the cases there will be no root (in such a case i is 
called an Atkin prime) and we are done. Otherwise, we have to continue to step0 
The factor of the division polynomial corresponding to a root of the modular 
polynomial is calculated using a system of formulae due to Lercier Leri)7al . For 
small i the solution to this system can be written explicitly, and the factor is 
obtained at almost no cost. (For larger £ the system could be solved efficiently by 
an algorithm also due to Lercier.) The cost of searching for a root is dominated 
by the computation of A® modulo the factor, which has degree (£ — l)/2. 

In TableOwe give the run-time for this procedure, measured on the 750 MHz 
Alpha. 

It is necessary to bound the maximum size of £ in order to balance the 
cost of early-abort against the gain obtained by avoiding point-counting. In 
theory, it would be beneficial to increase £ until the above early-abort procedure 
took approximately one £-th of the time required for point-counting. Hence the 
maximum size of £ would grow with the field size. 

However almost all of the advantage to be gained comes from using the first 
few primes and in practice we found ^ < 19 to be a good trade-off. For these 
primes it is not difficult to determine if curves are Agood: Lercier’s construction 
of isogenies is relatively easy, as in the search for Atorsion points. Thus we were 
able to keep our code simple and reliable. 

For comparison with Lercier’s results reported in Ii.er97hl . we ran some fur- 
ther tests on the 266 MHz Alpha. We chose a similar early-abort strategy, search- 
ing for good curves with order 4p without considering the twist curves at all (but 
see below). The results can be found in Table|Bl As a first step in the early-abort, 
we determine whether the order is divisible by 8. This can be decided very quickly 
by computing Troe. Note that we measured our timings for 157 and 197 bits in- 
stead of 155 and 196 because composite extension fields may be weak in certain 
cases, as mentioned in the introduction. 

Next, in order to maximise the performance of curve generation we decided to 
search simultaneously for twist curves with order 2p and this allowed us roughly 
to double the speed. As is clear from section El the cardinality of the twist can 
be found immediately from that of the curve itself. Furthermore, the early-abort 
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Table 6. Time to select good curves among 1000 (EV4 - 266 MFlz) 



Field size 


SEA (from ILer97bl) 


Satoh-FGH -I- early-abort 


155 bits 


14112 s 


4490 s 


196 bits 


30254 s 


7850 s 



Table 7. Average time to find a good curve (EV6 - 750 MHz) 



Field size 
(in bits) 


Time for e.-a. 
on 10000 curves 


Remaining 

curves 


Time to count 
remaining curves 


Good 

curves 


Average time to 
find a good curve 


157 


21.1 s 


435 


17.3 min 


45 


23.6 s 


163 


23.1 s 


473 


21.7 min 


55 


24.1 s 


193 


25.1 s 


402 


27.5 min 


33 


50.7 s 


197 


30.8 s 


415 


30.8 min 


43 


43.6 s 


233 


40.3 s 


402 


44 min 


29 


92,4 s 


239 


43.5 s 


435 


50.3 min 


29 


105.6 s 


283 


122 s 


418 


3h 4 min 


20 


9.2 min 


409 


245 s 


467 


9h 54 min 


22 


27 min 


571 


524 s 


375 


26h 40 min 


11 


146 min 



strategy can easily be adapted to take the twist into account since it has the same 
j-invariant and the same division polynomials. (This is because the curve and 
its twist are isomorphic over an algebraic closure and the isomorphism preserves 
the abscissae.) 

One possibility would be to reject a pair consisting of a curve and its twist 
only when the early-abort strategy determines that both curves are cryptograph- 
ically unsuitable. Alternatively one may pursue a more aggressive strategy by 
rejecting them both as soon as either one is found to be unsuitable, and immedi- 
ately moving on to a new pair. Using the latter method for 10000 random curve 
pairs on the 750 MHz Alpha, we measured the timing results shown in Table 0 

Although the space complexity of Satoh’s algorithm grows quickly, the 

tricks described in [FCH00| keep the constant factor small. With these tricks, 
the largest key size we dealt with (571 bits) requires under 10 megabytes and 
for moderate key sizes the memory usage was only a few hundred kilobytes. We 
chose a different trade-off, using more memory in exchange for slightly higher 
speed. 

To investigate the possibility of generating curves in constrained environ- 
ments, we ran some tests at 113 bits on an ARM chip. This small key size 
is recommended for key-exchange in the Wireless Application Forum’s WTLS 
standard (WAP) and can be used for short-term security at a level comparable 
to DES. The results can be seen in Table 0 
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Table 8. Time to find a good WAP curve on an ARM chip 



Field size 


Frequency 


Time to 
count one curve 


Average time to 
find a good curve 


RAM -1- ROM used 


113 bits 


275 MHz 


5.9 s 


38 s 


240 KB -t 136 KB 



Table 9. New times for point-counting on a 750 MHz EV6 Alpha 



Field size 


Time 


Field size 


Time 


Field size 


Time 


157 bits 


0.50 s 


197 bits 


0.91 s 


283 bits 


6.32 s 


163 bits 


0.56 s 


233 bits 


1.39 s 


409 bits 


19.4 s 


193 bits 


0.84 s 


239 bits 


1.47 s 


571 bits 


58.2 s 



6 Conclusion 

The Satoh-FGH algorithm has proven to be the method of choice whenever one 
wants to compute the cardinality of a random elliptic curve defined over a finite 
field of characteristic two. But in spite of Satoh-FGH’s excellent performance 
(see Table EJ , the SEA algorithm should not be abandoned too quickly. In the 
case of large characteristic it is the only practical method available. Moreover 
the early-abort strategy, which is closely related to it, is valuable when looking 
for a curve for cryptographic use, even in small characteristic. By combining this 
technique and the Satoh-FGH algorithm, we obtain an efficient way of computing 
secure curves (see Table I3). We conclude that it is no longer necessary to use 
precomputed curves in cryptography since one can easily compute new curves as 
desired. Finding a curve with a security level comparable with RSA-1024 takes 
minutes or less. Gurve generation for short-term security, with a level equivalent 
to DES, is feasible on a low-power chip. Finally, very high security levels similar 
to the highest AES level are now possible albeit in several hours. 



Remark 

We have recently implemented a new and quite different point-counting algo- 
rithm with lower memory requirements and a gain in speed by a factor ranging 
from 4 to 5 depending on key-size. For instance a secure 113-bit curve can be 
found in 8 seconds using 36 KB of RAM on the 275 MHz StrongARM. Repeating 
the calculations from Tables E| and Q gave the times in Table El and Table E3 
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Table 10. New times to find good curves (EV6 - 750 MHz) 



Field size 
(in bits) 


Average time to 
find a good curve 


157 


5 s 


163 


5 s 


193 


10 s 


197 


10 s 


233 


21 s 


239 


22 s 


283 


138 s 


409 


7 min 


571 


34 min 
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Abstract. We compare the method of Weil descent for solving the 
ECDLP, over extensions fields of composite degree in characteristic two, 
against the standard method of parallelised Pollard rho. We give details 
of a theoretical and practical comparison and then use this to analyse 
the difficulty of actually solving the ECDLP for curves of the size needed 
in practical cryptographic systems. We show that composite degree ex- 
tensions of degree divisible by four should be avoided. We also examine 
the elliptic curves proposed in the Oakley key determination protocol 
and show that with current technology they remain secure. 



1 Introduction 

Ever since its invention, in 1986 by Koblitz 0 and Miller ca, elliptic curve cryp- 
tography (ECC) has attracted considerable interest since it enables improved 
security, in the sense of greater perceived strength per bit of key, compared to 
conventional systems such as RSA, with the added benefit of smaller key sizes, 
less bandwidth and less computing power, see ^ for a complete treatment of 
ECC. Various standards bodies, both government sponsored and industry led 
(for example NIST | 2 ] and SECG 0 ), have standardised on elliptic curves de- 
fined over fields of the form F 2 P and Fp, where p denotes a prime. 

Despite this standardisation effort various people still propose using curves 
defined over so called composite extension fields, i.e. fields of the form F^n where 
q is some non-trivial power of the characteristic and n > 1. Composite exten- 
sion fields are chosen because they provide greater computational efficiency for 
what at first glance appears to be the same security. The improved efficiency 
is particularly pronounced in characteristic two, where one chooses q = 2^ and 
n = 4 or 5, in these later cases the use of look up tables to represent the subfield 
of degree 4 or 5 over F 2 can significantly improve the efficiency of the resulting 
cryptographic scheme. 

However, recent work of Frey, Galbraith, Gaudry, Hess and Smart, see 0, 0 
and jSl, has cast doubt on the claim that composite extension fields offer about 
the same security as those fields defined in the standards. This recent work is 
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based on the technique of Weil descent. Even though the work on Weil descent 
is now well known in the community there still appears to be a reluctance to 
drop composite extension fields in certain quarters. 

In this paper we investigate in detail the security of such systems and try 
to quantify by how much the techniques based on Weil restriction weaken the 
cryptographic system. We shall concentrate solely on the case of characteristic 
two, which is important in applications. In section 0we shall review the method 
of Weil restriction from In section we examine in more detail Gaudry’s 
method and explain a very efficient implementation of it. In section 0] we compare 
Gaudry’s method for the hyperelliptic curves arising from Weil restriction to the 
method of Pollard rho on the original elliptic curve. In section 0 we discuss the 
curve over F 2155 proposed in the Oakley key determination protocol. Finally we 
give some conclusions. 



2 The Method of Weil Restriction 

Let k = ¥q denote a finite field of characteristic two and let K = denote an 
extension of degree n > 4. Suppose we are given an elliptic curve, defined over 

K, 

E -.Y^ + XY = + aX^ + f3 

which is suitable for use in cryptography, i.e. E(K) contains a large cyclic sub- 
group of prime order s ~ 12. In particular this means that E must be defined 

over K and not over some proper subfield, since otherwise the order of E{K) 
would not be almost prime, unless n were prime and q = 2. The elliptic curve 
discrete logarithm problem (EGDLP) for such curves is the following: Given 
P,Q€ E{K) such that 

[s]p = [s]g = o 

find A £ (%j s^K)* such that 

Q = [A]P. 

Now let E[ denote a (imaginary quadratic) hyperelliptic curve of genus g, 
defined over k, 

H :Y^ + h{X)Y = f{X) 

where degh{X) < g and deg/(W) = 2g + 1. The Jacobian of El has about 
g® elements and one can also consider a hyperelliptic curve discrete logarithm 
problem (HGDLP) for such curves. We let the degree-zero divisor D\ generate 
some large cyclic subgroup of JaCfc(iJ) and let D 2 £ {P>i)- The HGDLP is to 
find the integer A such that 

D2 = [A]Di. 

Further details on the hyperelliptic group law and the HGDLP can be found in 

pm and P]. 

The main result from jSj is the following: From an EGDLP in E{K), i.e. 
P 2 = [A]Pi with A £ {T,jsT)*^ one can construct a hyperelliptic curve H of 
genus g over k and two divisors D\ and D 2 of order s in JaCfc(iL) such that 
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— 5 = 2 '" ^ or 2 "* ^ — 1 where 1 < m < n. 

- D2 = [\]Di. 

We note that the construction of 0 is very fast and that the genus g is almost 
always equal to 2"“^ for curves of cryptographic interest. There is a small prob- 
ability that the construction does not actually work in practice, but for real life 
examples this can usually be ignored. 

Why this result is interesting is that it maps the discrete logarithm problem 
from a group E{K) where the only known solution has exponential complexity 
in the size of 5 ", to a group JaCfc(iJ) where the best known solution has sub- 
exponential complexity, albeit in the size of 




However, for fixed genus there is an algorithm due to Gaudry which solves the 
HCDLP in time which is much better than the algorithm for the equiv- 

alent ECDLP which takes time 0((j"'/^(log 5 )^). In |H| it is argued that for small 
fixed n, and hence essentially fixed g, this provides evidence for the weakness of 
the ECDLP on curves defined over composite extension fields, at least asymp- 
totically. However, the asymptotic complexity hides a very bad dependence on 
g, and hence such a conclusion may not be able to be substantiated on curves 
over field sizes of cryptographic interest. In |S| a single experiment was reported 
on, involving an elliptic curve over a field of the form F ^4 which gave rise to a 
hyperelliptic curve of genus four. This experiment was conducted for an elliptic 
curve which is not typical of elliptic curves over fields of the form F,j 4 . Curves 
defined over F ^4 would usually give rise to a hyperelliptic curve of genus eight. 
It is this latter problem that we aim to address here. 



3 Analysing and Implementing Gandry’s Method 

We refer to 0 for a detailed explanation of Gaudry’s method for the HCDLP. 
Essentially one takes a factor base of all the degree one prime divisors on H up 
to the equivalence 

Di = D 2 if Di = — Z? 2 . 



This gives approximately q/2 such divisors, but one selects by some appropriate 
means (see a proportion, say l/l, of them. Hence, the total factorbase size 
is roughly 

F = q/{21). 

Then one collects relations amongst the factor base elements by performing a 
random walk. Once F -|- 1 relations have been found one can solve the HCDLP 
by using a linear algebra technique for finding elements of the kernel of a large 
sparse matrix over F^, such as Lanczos H3- 

We define the following estimates of the bit-complexity of certain algorithms: 
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— Cq = Maximum cost of an arithmetic operation in F^. For fields of crypto- 
graphic interest this is given by 

Cq = (logg)^ 

— Cq^g = Maximum cost of an arithmetic operation on a polynomial of degree g 
over Fq. For fields of cryptographic interest and polynomials of degree <7 < 32 
the actual methods used have cost, using a Karatsuba style multiplication, 

''1,9 y '"'?■ 

— cj = Cost of a doubling/addition in the Jacobian of H. By work of fS] this 
is given by 

— Cs = Maximum cost of operation in Z/sZ, for values of s of cryptographic 
interest namely s ^ we have 

Cs = {nlogqf-. 

Arguing as in jjj one can see that Gaudry’s algorithm then takes around 

Fl^glcj 



bit operations to compute the matrix and then 






Csg 



bit operations to actually compute an element in the kernel. Here we have as- 
sumed, as is born out by experiment, that the operations in the Jacobian dom- 
inate the time needed to compute the matrix. 

The idea of the parameter I is to balance the time for finding the matrix with 
the time for solving the matrix. Assuming we have X times more computing 
power available to perform the relation finding, this gives the equation 

2F'^^g\cj = CsgqjX. 



In theory one should choose X = \ but in practice a given organisation probably 
has more spare idle time available on desk top computers than on a single big 
server like that needed to run the matrix step. When X = \ this means we 
should choose our proportion of good divisors as 

i^( 

V44g!g0-59; 

But since we must have Z > 1, we shall choose I ~ min(l,f). In particular this 
means that the overall complexity of the attack on the ECDLP based on Weil 
descent, is given by 

^ {qnln{q)fg / n^qg^\ (-2/(®+D) 

■ 4 ' V 44g! J 



= (9nln(g))^2"-3 



^ (44-2"-i)! j 



(_2/(2"-Wl)) 
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since 5 < 2” Therefore, for fixed n we obtain a complexity of 

0{q^-^{\ogqf), 

where e = 2/(2"“^ + 1). For the purposes of extrapolating run times later we 
shall take this as 0(g^(log q)^). We implemented Gaudry’s algorithm with the 
following optimisations 

— The field arithmetic in was implemented using very fast hand coded loops 
for the particular finite fields we where interested in, namely g = 2* with 
i < 31. This on its own provided nearly a 200% improvement in performance. 

— The polynomial code was also optimised heavily for the case where the poly- 
nomials have degree less than twenty, using Karatsuba type techniques. 

— The linear algebra step was run using the code used in the McCurley chal- 
lenge HH!- We thank T. Denny and D. Weber for allowing us to use this 
code. This was run on a machine with 6 processors and 8GB of RAM run- 
ning HP-UX. 



4 Comparison with Pollard Rho 

To have something concrete to compare the method of Weil descent to we im- 
plemented the parallel version of Pollard’s rho method |[^ for the EGDLP. We 
used the method of distinguished points due to Wiener and van Oorschot uni 
which has been used in recent years to solve various challenge EGDLP examples 
set by Gerticom. 

Since we are using elliptic curves defined over fields of the form where n = 
4 or 5 we implemented very efficient techniques for these fields, using lookup ta- 
bles for the subfields of degree 4 or 5 over F2. In tableQ]we give the time needed to 
solve an elliptic curve discrete logarithm problem on various elliptic curves over 
Fq4 . This was for an implementation on a network of 80 Sun Sparc-5 and Sparc- 
10s, for comparison we also give the time to run the program on a single Sparc-10. 



Table 1. Pollard rho for A(Fq4) 



q 


27 2^^ 2^3 2^7 2^5 ^ 


80 Spares 
Single Sparc 


00:00 00:00 00:06 38:32 «lld «621d 
00:00 00:11 04:50 «38d «3y «71y 



Times are given either in the format hrs:mins rounded to the nearest minute, 
or in the format xd or xy to denote a certain number of days or years. A Ri in 
the table denotes an approximate run time deduced from running the program 
for a reasonable length of time and then calculating the expected run time from 
this empirical data. One should note that since the rho method is heuristic in 
nature the running times represent an average for the small values of q. 
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In tables |21 and 0 we give the run times for Gaudry’s algorithm using the 
same set of 80 Sun Sparc-5 and Sparc-lOs to compute the matrix, we also give 
the estimate of the time needed for a single Sparc-10 to compute the matrix. 
We also give the time needed for the matrix step using a HP-UX machine which 
had 8 GBytes of RAM. These times should be compared to the time needed to 
solve the equivalent problem on the elliptic curve using Pollard rho. 



Table 2. Numerical data for n = 4 and g = 4 



<1 


2^ 


2^ 


2is 


2^ 




2^1 




1 


1.6 


2.2 


3.8 


5.1 


6.78 


1 used 


1 


2 


2 


4 


4 


8 


F = #FB 


65 


513 


2049 


16428 65537 131283 


Time for relation step 














80 Spares 


o 

p 

o 

o 

o 

o 

o 

o 

o 

o 

o 

1— ' 


00:55 


05:15 


68:00 


Single Sparc 


00:00 00:02 00:10 


16:50 


70:00 


«115d 


Time for matrix step 


00:00 00:00 00:01 


00:06 


02:10 


13:00 



Table 3. Numerical data for n = 4 and g = 8 



g 


2' 


2^ 


2is 


2^ 


2^— 


min(l, 


1 


1 


1 


1 


1.03 


1 used 


1 


1 


1 


1 


1 


#F 


64 


1024 


4096 


65536 262144 


Time for relation step 
80 Spares 


00:05 01:20 05:45 43:45 


«8d 


Single Sparc 


01:30 19:20 95:10 


«62d 


si250d 


Time for matrix step 


00:00 00:00 00:02 


31:00 


«20d 



We first examine the case of n = 4 and g = 4, this case occurs for around 
1 /q of all elliptic curves defined over the field F,j4 . As can be seen from the table 
the method of Weil descent provides a far more efficient way of attacking such 
elliptic curves than the standard method of Pollard rho for all values of q. 

For the case n = 4 and g = 8, which is the most common case for elliptic 
curve systems over fields of the form F^4, we see that the cross over point be- 
tween Pollard rho and the method of Weil descent occurs at a value of q just 
over 2^^. This, therefore, provides the missing evidence from |B| that all curves 
over fields of composite extension degree divisible by four should be avoided in 
cryptographic applications. 

Hence, we now have a complete experimental treatment of the case n = 4 in 
the method of Weil descent. The next case to consider is n = 5, which in fact 
turns out to be the most interesting in practical applications. In the next section 
we turn to this case. 
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5 The Oakley ‘Well-Known Groups’ 3 and 4 

In two elliptic curve groups are proposed for use in a key agreement protocol 
used as part of the IPSEC set of protocols. These groups, denoted ‘Well-Known 
Group’ 3 and ‘Well-Known Group’ 4, are defined as elliptic curves over fields of 
composite degree over F2. The first group is defined over the field F2155, whilst 
the second is defined over the field F2185. Since the extension degree of these 
fields over F2 are composite it is an open question as to whether these curves 
should still be used within the IPSEG family of protocols. In this section we 
shall concentrate solely on group 3. 

Group 3 is defined by the equation 

Y'^ + XY = X^ + fi 



where 



/9 = -k -k -k + iJ + uj^ + + u? + w + I, 

where -I- -1-1 = 0. This has group order 

E(F2155) = 12 • 3805993847215893016155463826195386266397436443. 

We carried out a number of experiments on elliptic curves over fields of the 
form F,j 5. For the Pollard rho method, using the various optimisations available 
in such fields, we obtained the times in Tabled Extrapolating our experimental 



Table 4. Pollard rho for E{¥g5) 



<? 


27 2^ 2^3 2^7 2^ 


80 Spares 
Single Sparc 


00:00 00:06 06:30 «376d «41y 
00:00 02:05 «20d «58y «4000y 



results on the Pollard rho algorithm to ‘Well Known Group’ 3 it would appear 
that we would require 

10^^ years 

to solve the discrete logarithm problem using our network of 80 Sparc 5 and 
Sparc 10 computers, or 

10^® years 

using a single Sparc-10. Hence, it is clearly currently infeasible to attack this 
curve using the Pollard rho algorithm. 

We now turn out attention to whether it is feasible to attack ‘Well Known 
Group’ 3 using techniques based on Weil descent. Applying the method of jS| to 



How Secure Are Elliptic Curves over Composite Extension Fields? 



37 



this curve we obtain the hyperelliptic curve 

2 ( 1258097243x1® + 1 17701 1841x® + 540379308x1 

-y +y 1^ + 1555798523x2 + 613019365x 

+558654746x® 3 + 1390366357x®2 + 577010024x2® 

+1211700991x2® + 2017104043x2® + 1674361774x21 
+993950732x22 + 1777282797x21 + 1982857394x2® 

+144558341x1® + 693983331x1® + 1937134056x1® 

+1947274294X® + 31687647x1 + 1217310851x2 + 493932675x 

defined over the field F231 , where tc®i +tc® + 1 = 0 and the curve H has genus 16. 
In the above equation to convert the decimal coefficients to field elements one 
should first convert the decimal to binary and then use the binary representation 
to define the polynomial in w which gives the corresponding field element. For 
example 

1258097243 = tu®® + w'^'^ + + w®® + rt;22 + y;2i _|_ .^20 _|_ ^19 

+tci® + tfi® + tyii + tc® + w® + tyi + w® + w + 1 

In our experiments using curves of genus 16 we found that it would take over 
three years for the network of 80 workstations to compute a single relation for a 
curve over a field of size 2'’. Hence, it makes very little sense to extrapolate from 
actual run times for Gaudry’s algorithm. However, we can give a rough estimate 
as to how long it would take to perform the two steps for the curve over F2155 
considered above. 

Firstly we note that for such a curve we would take I = 1 and hence the 
factor base would have size, 

F « 2®®. 

This on its own would imply that the matrix step would require around 

10^ years 

to process using the code used to produce the examples in the last section. To 
produce the matrix we estimate would take the network of 80 Spares over 

10^® years. 

Hence, although the method of Weil descent would appear to produce a more 
efficient way to attack systems based on ‘Well Known Group 3’, it would appear 
that such curves are secure. However, this assumes there is no further algorithmic 
improvements in either the method of Weil descent or the method of Gaudry for 
solving HGDLP. 

6 Conclusion 

The ‘Well Known Groups’ 3 and 4 in IPSEG may still be considered secure, 
however, they are made less secure by the method of Weil descent. This does 
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not pose an immediate threat, but future algorithmic improvements could render 
them insecure. It should be noted that since both Weil descent and Gaudry’s 
algorithm are comparatively recent advances one cannot rule out further algo- 
rithmic improvements in the coming years. 

For large genus the method of Gaudry will only be asymptotically better 
than Pollard rho, as g — >■ oo, this is due to the bad dependence of the complexity 
estimate on g. For values of g where g is significantly larger than n the current 
techniques of Weil descent produce a major problem, namely the EGDLP is in a 
group of order g", whilst using Weil descent we have mapped it into a subgroup 
(of order g") of a group of order 




Hence, we seem to have made our problem more difficult. It may be that the best 
algorithm for the HGDLP in this setting may be the ones which have asymptotic 
complexity 

0(L,9(1/2,c)) = O (^exp((c-f o(l))\/(log g9)(loglog gs))) 

as g is fixed and g — >■ oo. However, there has been little work on practical 
implementations of these methods, the only one in the literature being described 
in El- The algorithm in P) does not appear practical for the curve which arose 
above when we considered the Oakley group. 

We end by stating that for curves over characteristic two fields of size 2^, 
where p is prime, the method of Weil descent does not apply. In 0 it was 
proved that for over fifty percent of all cryptographically interesting curves over 
F 2 P the method of Weil descent would not apply. Recently, Menezes and Qu 
El showed that the method did not apply to any cryptographically interesting 
curves over F 2 P. 
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Abstract. We present new constructions of non-malleable commitment 
schemes, in the public parameter model (where a trusted party makes 
parameters available to all parties), based on the discrete logarithm or 
RSA assumptions. The main features of our schemes are: they achieve 
near- optimal communication for arbitrarily-large messages and are non- 
interactive. Previous schemes either required (several rounds of) interac- 
tion or focused on achieving non-malleable commitment based on general 
assumptions and were thus efficient only when committing to a single 
bit. Although our main constructions are for the case of perfectly-hiding 
commitment, we also present a communication-efficient, non-interactive 
commitment scheme (based on general assumptions) that is perfectly 
binding. 



1 Introduction 

Commitment protocols are one of the most fundamental cryptographic primi- 
tives, used as sub-protocols in such applications as zero-knowledge proofs (see 
Goldreich, Micali, and Wigderson ini and Goldreich CSl), secure multi-party 
computation (see Goldreich, Micali, and Wigderson [T^), contract signing (see 
Even, Goldreich, and Lempel ca), and many others. Commitment protocols 
can also be used directly; for example, in remote (electronic) bidding. In this 
setting, parties bid by committing to a value; once bidding is complete, parties 
reveal their bids by de-committing. In many of these settings, it is required that 
participants, upon viewing the commitment of one party, be unable to generate 
a commitment to a related value. For example, in the bidding scenario it is un- 
acceptable if one party can generate a valid commitment to a; -I- 1 upon viewing 
a commitment to x. Note that the value of the original commitment may remain 
unknown (and thus secrecy need not be violated); in fact, the second party may 
only be able to decommit his bid after viewing a decommitment of the first. Un- 
fortunately, most known commitment protocols are easily susceptible to these 
types of attacks. 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 40-1^ 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 
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Two types of commitment schemes have been considered in the literature: 
perfectly-binding m and perfectly-hiding m (following m we refer to the for- 
mer as standard and the latter as perfect). In a standard commitment scheme, 
each commitment is information-theoretically bound to only one possible (legal) 
decommitment value; on the other hand, the secrecy of the commitment is guar- 
anteed only with respect to a computationally-bounded receiver. In a perfect 
commitment scheme, the secrecy of the commitment is information-theoretic, 
while the binding property guarantees only that a computationally-bounded 
sender cannot find a commitment which can be opened in two possible ways. 
The type of commitment scheme to be used depends on the application Uni; 
it may also depend on assumptions regarding the computational power of the 
participants. For example, in many protocols certain commitments are never 
opened; information-theoretic privacy ensures that the committed data will re- 
main hidden indefinitely (for further discussion, see [2,4121 j l. 

Commitment size is an important parameter, particularly when committing 
to a very large message such as the contents of a database. Unfortunately, stan- 
dard commitment schemes (even malleable ones) require commitment size at 
least M -\- w(logfc), where M is the message size and k is the security param- 
eter. Perfect commitment schemes, on the other hand, offer the opportunity 
to achieve much shorter commitment lengths. Indeed, the non-malleable, per- 
fect commitment schemes presented here achieve commitment size only 3fc for 
arbitrarily-large messages. 

Previous Work. Non-malleability was first explicitly considered by Dolev, 
Dwork, and Naor na, who define the notion in a number of different settings. 
They also provide the first construction of a standard commitment scheme which 
is provably non-malleable. Although their protocol is constructed from the min- 
imal assumption of a one-way function (in particular, without assuming a public 
random string), it requires a non-constant number of rounds of interactioiQ. 
Assuming a public random string available to all participants, Di Crescenzo, 
Ishai, and Ostrovsky 0 construct a non-interactive, non-malleable standard 
commitment scheme. Interestingly, their construction can be modified to give a 
non-interactive, non-malleable perfect commitment scheme. Unfortunately, the 
resulting commitments are large (i.e., 0{Mk)), thus motivating the search for 
more efficient protocols. 

Constructions of non-malleable public-key encryption schemes have also been 
proposed mra. In some cases, these constructions give non-malleable stan- 
dard commitment schemes, in the model where public parameters are published 
by a trusted party. We discuss this connection in more detail in Section 0 

Two efficient non-malleable commitment schemes, based on stronger (but 
standard) assumptions, have also been proposed. Like the construction of |0|, 
these protocols both require publicly-available parameters generated by a trusted 
party (in some cases this can be reduced to the assumption of a public random 

^ Furthermore, their protocol allows an adversary to generate a different commitment 
to an identical value (unless user identities are assumed). Other protocols discussed 
in this paper (including our own) do not suffer from this drawback. 



42 



Giovanni Di Crescenzo et al. 



string). The first can be obtained from an adaptive chosen-ciphertext secure 
public- key encryption scheme proposed by Cramer and Shoup jOj , whose security 
is based on the decisional Difhe-Hellman problem. More recently, non-malleable 
perfect commitment schemes based on the discrete logarithm and RSA assump- 
tions were introduced by Fischlin and Fischlin M- Though efficient, these pro- 
tocols require interaction between the sender and receiver. 

Our Contribution. We present the first efficient constructions of non-inter- 
active, non-malleable perfect commitment schemes. We work in the same setting 
as other efficient non-malleable commitment schemes, where public parameters 
are available to all participants inrraj (our discrete logarithm construction can 
be implemented in the public random string model using standard techniques). 
Our constructions are based on the discrete logarithm or the RSA assumptions. 
Previous constructions are either for the case of standard commitment [TIE R] 
or require interaction |l Ill4j . Our constructions allow efficient, perfectly-hiding 
commitment to arbitrarily-large messages. The schemes described in while 
able to handle large messages, require modifications which render them less 
efficient and also result in statistical secrecy only. 

Additionally, we discuss the case of non-interactive, non-malleable, standard 
commitment schemes and prove secure a folklore construction based on trapdoor 
permutations which is near-optimal in terms of commitment size. The large 
commitment size of this construction (though near-optimal) serves as motivation 
for our consideration of perfect commitment schemes. Indeed, for arbitrarily- 
large messages, our perfect commitment schemes require commitments of size 
3k, where k is the size of RSA or discrete log problems believed to be hard to 
solve (see Section ^ for improvements which reduce the commitment size even 
further). Our schemes require only 0{k) bits of public information. 

2 Definitions 

We discuss the communication models in which we present our constructions, and 
recall the notions of commitment schemes, equivocable commitment schemes, 
and finally non-malleable commitment schemes. 

Communication models. We will consider two models: the public-random- 
string model of m. and a slight generalization of it, considered for instance by 
H in the context of commitment schemes, which we call the public-parameter 
model. 

The former model was introduced in order to construct non-interactive zero- 
knowledge proofs (i.e., zero-knowledge proofs which consist of a single message 
sent from a prover to a verifier). In this model, all parties share a public reference 
string which is assumed to be uniformly distributed. The latter model generalizes 
the public random string model in the following sense: all parties still share a 
public reference string which is now defined as the output of an efficient algorithm 
(and may therefore have arbitrary distribution). 

For a unified treatment, we present our definitions for the public-parameter 
model, keeping in mind that analogous definitions may be obtained for the public 
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random string model if the algorithm generating the public reference string is 
replaced by an algorithm which chooses a uniformly distributed string. 
Commitment schemes. A commitment scheme {TTV,S,TZ) in the public- 
parameter model is a two-phase protocol between two probabilistic polynomial 
time parties S and TZ, called the sender and the receiver, respectively, such that 
the following is true. In the first phase (the commitment phase), given the public 
reference string a returned by the probabilistic polynomial time algorithm TTV, 
S commits to bit b by computing a pair of keys {com, dec) and sending com (the 
commitment key) to TZ. Given just a and the commitment key, the polynomial- 
time receiver TZ cannot guess the bit with probability significantly better than 
1 /2 (this is the hiding property) . In the second phase (the decommitment phase) 
S reveals the bit b and the key dec (the decommitment key) to TZ. Now TZ checks 
whether the decommitment key is valid; if not, TZ outputs a special string _L, 
meaning that he rejects the decommitment from 5; otherwise, TZ can efficiently 
compute the bit b revealed by S and is convinced that b was indeed chosen by 
S in the first phase (this is the binding property). 

We remark that the commitment schemes considered in the literature can be 
divided in two types, according to whether the hiding property holds with respect 
to computationally bounded adversaries or to unbounded adversaries. Commit- 
ment schemes of the first (resp., second) type have been shown to have appli- 
cations to zero-knowledge proofs (resp., arguments) pi /l2lj . A computationally- 
hiding bit-commitment scheme has been constructed under the minimal assump- 
tion of the existence of pseudo-random generators m A perfectly-hiding bit- 
commitment scheme has been constructed under the assumption of the existence 
of one-way permutations Both schemes have been designed in the interac- 
tive model (where no public reference string is available to parties); the former, 
however, can be adapted to run in the public parameter model. 

Equivocable commitment schemes. Informally, an equivocable commitment 
scheme in the public parameter model is one for which there exists an efficient 
algorithm, substituting for the trusted third party (TT'P), which outputs a set 
of public parameters and a commitment such that: (a) the distribution of the 
generated public parameters, the commitment, and any decommitment is exactly 
equivalent to their distribution in a real execution of the protocol; and (b) the 
commitment can be opened in more than one possible way. 

Definition 1. Let {TTT’,S,TZ) be a perfectly-hiding commitment scheme in the 
public parameter model over message space A4. We say that (TT'P,S,TZ) is 
perfectly equivocable if there exists a probabilistic, polynomial time equivocable 
commitment generator Equiv such that: 

1. Equivj(l^) outputs (cr, com, s) (where s represents state information). 

2. For all m G Ai, Equiv 2 (s, m) outputs dec such that: 

(a) 7?.(cr, com, dec) = m. 

(b) The following two random variables are identically distributed: 

{a ^ TTP(l^); (com, dec) ^ S{a,m) : (cr, com, dec)} 

{(ct, com, s) Equivj(l^); dec ^ Equiv 2 (s,m) : (cr, com, dec)}. □ 
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The notion of equi vocable commitment was first discussed by Beaver In [2| it 
was shown that an adaptation of the commitment scheme in m is equivocable 
in the public random string model (this fact was used in the construction of the 
non-malleable commitment scheme of |^). Other applications of such schemes 
include zero-knowledge protocols m- 

Non-malleable commitment schemes. Two definitions of non-malleable 
commitment have appeared in the literature, both seeking to capture the fol- 
lowing intuition of security: if an adversary, after viewing a commitment to x, 
can produce a commitment to a related value y, then a simulator can perform 
at least as well without viewing a commitment to x. The difference is in the 
definition of “producing a commitment” . In the original definition im {non- 
malleability with respect to commitment), generating a valid commitment of y is 
sufficient. Note that this definition does not apply to perfectly-hiding commit- 
ment schemes since for such schemes the value committed to by a commitment 
is not well-defined. In the definition of |2| {non-malleability with respect to open- 
ing), the adversary must also be able to give a (valid) decommitment to y after 
viewing the decommitment to x. Since our primary constructions are of perfectly- 
hiding commitment schemes (for which non-malleability with respect to opening 
is the appropriate notion), we present a formal definition of this variant, and 
refer the reader elsewhere for definitions of non-malleability with respect 

to commitment. 



Definition 2. Let {T'TV ,S,TZ) be a perfectly-hiding commitment scheme, and 
let k be a security parameter. We say that {TTV,S,TZ) is e-non-malleable (fol- 
lowing m) with respect to opening if for all e > 0 and every probabilistic, 
polynomial time algorithm A, there exists a simulator A! running in poly(fc, 1/e) 
time, such that for all poly-time computable, valid relations R (see note below), 
for all efficiently sampleable distributions T>, we have: 

Succ^“ ^^(fc) - SuccA!,v,R{k) < e -I- negl(fc) 

(for some negligible function negl/; where: 



C NM / 7 \ def 

Succ^ .p fl(/c) — 

Pr [tr ^ TT'P{l^)',mi ■<— V' (comi,deci) ^ 5((t, mi); com 2 t— .4 (ct, comi); 
dec 2 t— .4(cr, comi, deci); m 2 ■<— 7?.(ct, com 2 , dec 2 ) : 
comi com 2 A R{mi,m 2 ) = 1] 



Succ^7 p p(fc) = 

Pr [mi ^ 'D\m 2 ^ A! {l’^ ,T>) : R{mi,m 2 ) = l] ■ □ 

Definition of non-malleability: The definition of security above allows for 
the possibility that the simulator may do arbitrarily better than the adversary. 
The reason for this is that the adversary may simply refuse to decommit, even 
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when it would have otherwise succeedecQ. In any case, if a simulator can do 
better than an adversary who gets to see a commitment to mi, the scheme still 
satisfies our intuition of non-malleability. 

Valid relations. In order for relation R to be valid, we impose the following 
restriction: for all m G A4, we have R{m, _L) = 0. This could also be taken into 
account by checking that m 2 yf-L in the definitions of success, above; however, 
we find it easier to simply work with valid relations only. 

Multiple messages. The authors of HD point out that a strictly stronger defi- 
nition allows the adversary to produce several commitments corni^^ com^\ . . . , 
and later several decommitments dec^\dec^\ ... to messages . . . . 

The simulator simply outputs messages m^\ 'rri^\ ■ ■ ■ ■ The adversary (or simu- 
lator) succeeds when a relation TZ(jni,rn^\m ^2 \ ■ ■ ■ ) bolds. For simplicity, we 
use the weaker definition in this paper. However, we stress that all the schemes 
in this paper are non-malleable with respect to this stronger definition. 

History. The definition of includes the possibility of giving the adversary 
hist(mi) (for any computable function hist) before he is required to generate his 
commitment. We note that the current proof of our perfect commitment schemes 
does not consider this property. 

3 Computationally-Hiding Commitment Schemes 

We first (briefly) examine the case of standard commitment schemes. Note that 
the size of a standard, non-interactive commitment (even for malleable schemes) 
must be at least M -I- w(logfc), where M is the message length and k is the 
security parameter. Perfect binding implies that the size must be at least M, 
and semantic security requires, in particular, that each message have w(poly(fc)) 
possible commitments associated with it. 

The lemma below indicates that we can achieve roughly this bound for stan- 
dard non-malleable commitment, assuming the existence of trapdoor permuta- 
tion^ (in the model with public parameters). The commitment scheme is built 
from the following components: first, we use a cryptosystem that is secure indis- 
tinguishable under an adaptive-chosen-ciphertext attack. Such a scheme can be 
obtained using a construction in m, and we denote this scheme by fpk(-)- Next, 
we use a symmetric-key cryptosystem (with secret key of length k) which is in- 
distinguishable under adaptive chosen-ciphertext attack (which can be obtained 
using, e.g., the construction of [E5)i we denote this scheme by S^i')- The 

^ For any relation R, a simulator exists for R as well as for its complement R, so one 
might think that this “problem” can be avoided. The difficnlty is that there is an 
asymmetry here, in that both R and R must satisfy R{*, T) = R{*, T) = 0 (see the 
note on valid relations). 

® Recall that |2] achieves a non-interactive, non-malleable computationally-hiding 
commitment using only one-way functions. However, their scheme requires com- 
mitment size 0{kM). 
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commitment scheme works as follows: public parameters consist of a public key 
pk for the public-key cryptosystem. Commitment is done by choosing a random 
secret key for the symmetric-key system, encrypting this secret key using the 
public key, and then encrypting the committed message using the secret key. A 
commitment to message m is then computed as: 

£pk{K)o£^{m). (1) 

Decommitment consists of revealing m and the random bits used to form the 
commitment. Commitment verification is done in the obvious way. 

Although the proof of the lemma is relatively straightforward (and is a “folk 
lemma” for the case of encryption), the result below was not widely known for 
the case of commitment. Indeed, there are some complications which require 
care to get right. A sketch of the proof can be found in Appendix [XI 

Lemma 1. Assuming the existence of trapdoor permutations, there exists a comp- 
utationally-hiding commitment scheme in the public parameter model that is non- 
malleable with respect to commitment and has commitment size M -\- poly(fc), 
where M is the size of the committed message and k is a security parameter. 

Note that this lemma immediately implies the security (under the decisional 
Difhe-Hellman assumption) of the above construction when using the efficient 
public-key cryptosystem of 0 for £ and any adaptive chosen-ciphertext-secure 
private-key cryptosystem £* . Finally, we note that the security requirements 
for £ and £* can be relaxed. One can show that £ is only required to be non- 
malleable under a chosen-plaintext attack (NM-CPA) and £* need only be in- 
distinguishable under a PO plaintext attack and an adaptive chosen-ciphertext 
attack (IND-PO-C2); see |2fi S] for formal definitions). This allows for much 
greater efficiency since NM-CPA-secure public-key cryptosystems can be con- 
structed more efficiently than IND-CCA2 schemes [I2| and IND-P0-C2-secure 
private-key schemes may be deterministic. We remark that the result in the 
lemma applies to the public random string model when so-called dense public- 
key encryption schemes IHd are used. 

4 Perfectly-Hiding Commitment Schemes 

The computationally-hiding commitment scheme presented in Section El achieves 
near-optimal commitment size M -|- poly (A:). We cannot hope to improve this by 
much (since computationally-hiding commitments have size at least M). In this 
section we present perfectly-hiding commitment schemes that improve signifi- 
cantly on the commitment length, achieving commitment size 3fc for arbitrarily- 
large messages (see Section Elfor modifications allowing further reductions in the 
commitment size). 

Both of our perfectly-hiding commitment schemes build on the paradigm 
established in 0, with changes which substantially improve the efficiency. A 
commitment consists of three components {A, B, Tag). The first component A is 
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a commitment to parameters ri and C2 for a one-time “message authentication 
code” (mac) for B. The second component B contains the actual commitment to 
the message m, using public parameters which depend upon the first component 
A. Finally, Tag = MACri,r-2(-B). An adversary who wishes to generate a commit- 
ment to a related value has two choices: he can either re-use A or use a different 
A'. If he re-uses A, with high probability he will be unable to generate a correct 
Tag for a different B', since he does not know the values ri,r2- On the other 
hand, if he uses a different A' , the public parameters he is forced to use for his 
commitment B' will be different from those used for the original commitment; 
thus, the adversary will be able to decommit in only one way, regardless of how 
the original B is decommitted. In particular, if it is possible to equivocate B for 
a particular choice of A, an adversary who uses a different A' will be unable to 
equivocate B' (without breaking some computational assumption) . We refer the 
reader to P for further discussion. 

In P, the dependence (upon A) of the public parameters used for commit- 
ment B was achieved via a “selector function’’^, which results in public parame- 
ters of size dependent on the length of the committed message (as a consequence, 
the scheme can be efficient only in the case of commitment to a single bit) . Here, 
we exploit algebraic properties to drastically reduce the size of the public pa- 
rameters and obtain a more efficient scheme, even in the case of large messages. 



4.1 Construction Based on the Discrete Logarithm Problem 

The schemes discussed in this paper work over any group G of prime order for 
which extracting discrete logarithms is hard but multiplication is easy. However, 
for concreteness we will always assume that p, q are prime with q\p — 1 and the 
group G C Z* is the set of elements of order q. 

Our starting point is the perfect commitment scheme of Pedersen ^21 • Let g, h 
be generators of G. To commit to a message m G TLq, choose random r G TLq and 
output com = g'^h''. This scheme achieves information-theoretic secrecy, since 
com is uniformly distributed in G; furthermore, it is computationally binding as 
long as the discrete logarithm problem is hard. Note that a simple extension of 
the scheme (which we refer to as extended- Pedersen) allows commitment to two 
messages: simply let 51,52753 be generators of G, and to commit to messages 
mi, m2 G TLq, choose random r and output com = 5i™^52™^53. This scheme 
retains perfect secrecy; furthermore, computational binding of the extended- 
Pedersen scheme can be proved via a reduction to the standard Pedersen scheme 
(see p]). Note further that the Pedersen and extended-Pedersen schemes are 
perfectly equivocable (one simply chooses public parameters with known discrete 
logarithms) . 

The public parameters, output by TTP(l^), are primes p,q with q\{p — 1 ) 
and \p\ = k, along with random generators 51, 52, 53 of G. Additionally, a random 
function H is chosen from a family of universal one-way hash (UOWH) functions 
p(|. Commitment is as shown in Figure D 



^ A different implementation of this technique first appeared in El- 
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Public: p,g, c/1,52, 53; H ■. G ^ TLq 
S (input m £ 7Lq) TZ 



Commitment phase: 



ri,r2,rs,r4 






B = (5f52)™53^ 
Tag =MACi.i A2 (B) 

Decommitment phase: 



A, B, Tag 



m, ri,r2,rs,r4 



Verify: 4 = 5 ^ 52 = 5 ? 

B = {g?^^^92rgl^ 

9 

Tag =MAGri,r2(B) 



Fig. 1. DLog-based, NM perfect commitment scheme. 



Theorem 1. Assuming the hardness of the discrete logarithm problem in the 
underlying group, the protocol of Figure Q is an e-non-malleahle perfectly -hiding 
commitment scheme in the public-parameter model. 

Proof It is clear that the protocol is perfectly-hiding since B is uniformly 
distributed in group G independently from the distribution of every other com- 
ponent of the commitment. Computational binding of the protocol is also easy 
to show (proof omitted). 

The proof of non-malleability is more involved; however, we provide some 
intuition here. As mentioned in Sec. | 2 l we prove non-malleability with respect 
to a single commitment output by the adversary; however, the same proof tech- 
nique suffices to prove non-malleability with respect to multiple commitments. 
The simulator (which will do as well as the adversary without seeing the com- 
mitment) works as follows. First, it generates public parameters which are dis- 
tributed identically to the real experiment, but for which the simulator knows 
some trapdoor information which allows it to perfectly equivocate its commit- 
ment (cf. Definitional. The simulator generates a commitment com to a random 
message, gives this commitment to the adversary, and the adversary produces its 
commitment com2- The simulator now tries to get the adversary to open com2 
(this will be the message output by the simulator). To do this, the simulator 
decommits com to a random message and gives the decommitment to the ad- 
versary, and repeats this step (rewinding the adversary each time) sufficiently 
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many times until the adversary open^ com2- Since the simulator can perfectly 
equivocate its commitment, the adversary’s view is equivalent to its view in the 
original experiment. Furthermore, we show that the adversary itself is unable to 
equivocate its commitment com2 (under the discrete logarithm assumption). A 
complete proof follows. 

Assume an adversary A which, given commitment (A,B,Tag), generates 
commitment {A\ B' , Tag'). Given decommitment (m, ri, r2, ra, r4), the adver- 
sary gives decommitment (m', r(, rg, r)^). Following the proof structure of P|, 
we distinguish the following sub-cases: 

Case 1 . A! = A. If this occurs, there are two possibilities: either (■ri,r2,r3) = 
(r(, T2, Tg), or not. If they are equal, since ri and T2 are information-theoretically 
hidden from the adversary when giving his commitment (and assuming the se- 
curity of the mac), the adversary will have been unable (except with negligible 
probability) to generate B' ^ B and Ta</ such that Ta</ =MACn,r2(^0- If 
(ri,r2,rg) ^ (’’i) ?'2) ^3)) "''’6 can construct an adversary C which, given oracle 
access to A, can violate the computational binding property of the extended- 
Pedersen scheme (via a standard reduction) . Thus, the success probability of A 
in this case must be negligible. 

Case 2 . A ^ A but H{A') = H{A). If this happens, the security of the family 
of universal one-way hash functions is violated. Simply choose p, q along with 
random generators Then, select random m, ri, r2, rg, r4, generate the 

commitment {A, B, Tag), and output A. Upon being given a random member H 
from the UOWH family, run A on input the public parameters and the generated 
commitment. The first component of the commitment generated by A will then 
give the desired collision. 

Case 3 . A' A and H{A') ^ H{A). This is the most interesting case to con- 
sider. Fix e, T>, and R, and assume adversary A. Denote the process of selecting 
group parameters, as run by TTV, by p,q,G ^ f/(l^) (i.e., this selects primes 
p, q with q\p— 1 and |p| = k). We describe an equivocable commitment generator 
Equiv which will be used as a subroutine of simulator A': 



Equivi(l'=) 
p,q,G^g{l'^) 
gi,gs ^ G; FI ^ UOWH 
r,s,t^ 7Lq 

A = glfT, « = H{A) 

92 = 9i “5g 

= {p, 9 , 91 , 92 , 93 , H) 

r2,u ^ Hq 

ri = r + ar2', = s — tr2 

B = 93; Tag = MAGri,r2{B) 
com = {A, B, Tag) 

s = (?"l,7’2,rg,t,u) 

Output (cr, com, s) 



Equiv2((ri,r2,rg,t,u),m) 
Ti = u — tm 
dec= (m,ri,r2,rg,r4) 

Output dec 



If the adversary never opens its commitment, the simulator outputs _L. 
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Note that Equiv satisfies Definition EJ In particular, the distributions of the 
public parameters output by Equiv and those of the real protocol are the same; 
they differ only in the “trapdoor” information stored by Equiv. Furthermore, 
note that p,q,gi,g3 can be chosen at random and given to Equiv; knowledge of 
loggg gi is not necessary. This will be crucial for the proof of security. We now 
describe the simulator 

(cr, com,s) Equiv(l^) 

Fix random coins oj 

001712 = A{a, com; cu) 

Repeat at most 2 e“^ln 2 e“^ times: 
mi <—V 

dec = Equiv(s, mi) 
dec2 = A{(J, com, dec) 
m 2 = 'R-{c 7, com2, dec2) 
if m2 break 
Output m2 

We show that the difference Succ^^ nik) — Succ^i x>,R{k) (with terms as defined 
in Definition I2D is negligible. Straightforward manipulation, using the fact that 
Equiv is a perfectly equivocable commitment generator and {TTV ,S ,TZ) is a 
perfect commitment scheme, gives: 

Succ^“ = 

Pr [a ^ TTV{1^); mi ^ P; w ^ 17; ri, r 2 , 73 ^ 2,; 

(comi, deci) ^ S {a, mp, 71,72,73); 

m2 = TZ{a,A{a, comi;u;),A{a, comi, deci;uj)) : R(mi,m2) = 1 ] 



and 



5ucc^> ^T,,j{(k) = 

Pr [cr ^ TTV{l^);mi ^'D;ui ^ I 7 ;n,r 2 ,r 3 ^ Hq] 

{comi, deci) ^ 5 (cr, mi; n, r2, ra); 

m^ = TZ{cr,A{a, comi;uj),A{a, comi, dec*;uj)) : i?(mi,m2) = 1 ] . 

The notation dec* represents the fact that the decommitment given to A was 
produced according to algorithm A! . In particular, dec* represents either the 
first decommitment given to A which resulted in m2 y^T, or the ( 2 e“^ ln 2 e“^)*’' 
decommitment given to A (if all decommitments up to then had m2 =T). 
Define the tuple (cr; oj; 71,72,73; comi) as good if the following holds: 

Pr [mi V : 7 Z(cr, A{a, comi; to) , A{a, comi, deci; uj)) yfT] > e/ 2 , 

(the above probability is over choice of mi only; note that once the tuple is fixed, 
choice of mi determines 7 ^, and hence deci). Furthermore, define event Good as 
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occurring when the tuple generated by the experiment is good. We now have (for 
brevity, we denote generation of a random tuple by 7 ^ also, we denote 

7712 = -4 ((j, com; w),A{a, com, dec, w)) by m2 = A{a, com, dec)): 

SuCC^^ ji(k) - 5uCCA',T>,R(k) = 

Pr [7 ■<— r(l^); mi <— V; m2 = A{a, comi, deci) : i?(mi, m2) A Good] 

-fiPr [7 ^ r{i^) ■,m\ T>-,m2 = A{a, com\, deci) : R{m\,m2) A Good] 

— Pr [7 ^ mi ^ 2?; m^ = -4(cr, coTTii, dec*) : i?(mi, m^) A Good] 

— Pr [7 ^ r(l^); mi ^ T>; m^ = A{a, com\, dec*) : i?(mi, m^) A Good] , 



from which we derive (by definition of event Good): 

Succ^ j^{k) - Succ^/,d,_r(A:) < 

Pr [7 ^ P(l^); mi ^ X>; m2 = -4 (ct, comi, deci) : i?(mi, m2) A Good] 

+ e/2 

— Pr [7 ^ r(l^); mi ^ T>; m^ = A{a, com\, dec*) : i?(mi, m^) A Good] . 



But this, in turn, implies: 

Succ^ j^{k) - SuccA', v,R{k) < 

Pr [7 ^ r(i'' ); mi ^ V- m2 = -4(cr, com\, deci); m^ 



i?(mi,m2) A R{mi,m2) A Good -I- e/2 



A{a, comi, dec*) : 



which can be re-written as: 

Succ5]^jj(A;) - Succ^/,-D,fl(A:) < 

Pr [7 ^ F(l^) ; mi ^ V; m2 = A{a, comi, deci); m^ = ^(cr, comi, dec*) : 
R{mi,m2) A R{mi,m2) A m^ =-L A Good 
-fiPr [7 ^ r{i^ ); mi ^ V] m2 = A{a, comi, deci)\ m2 = A{a, comi, dec*) 
R{mi,m2) A i?(mi,m2) A m^ yf_L A Good 



( 2 ) 

(3) 



H“ 6/2. 



We now bound probabilities m and 0. First, notice that expression 
is bounded from above by the probability that m^ =-L. However, definition of 
event Good and a straightforward probability calculation show that: 

Pr [7 ^ ril’^) ; m2 A{a, comi, dec*) : m2 =-L A Good] < 

Pr [7 ^ F(l^); 7772 ■<— -4(cr, comi, dec*) : =-L |Good] < e/2. 

Finally, notice that for the event in expression 0 to occur, we must have m2 yf-L 
and m2 yf m^ . But this then gives a Pedersen commitment com2 (using genera- 
tors 53 and gi g2 = dV) which is decommited in two different ways. This 
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would allow determination of logg^ gi (recall that a' a since we are dealing 
with Case 3). The experiment is as follows: choose random oj and ri,r 2 ,r^ and 
run Equiv using the given values g\ , g^ to generate o' and comi (recall that knowl- 
edge of loggj g\ is not necessary to run Equiv). The adversary A then produces 
a commitment com^. Following the description of run A to obtain a decom- 
mitment to message m\. Then, decommit once more to a randomly selected mi 
and give this as input to A to obtain a decommitment to m 2 . If m 2 and 
m^ yfT and m 2 yf m^ (which we call event Success), then logg,^ g\ can be calcu- 
lated, as discussed above. But the probability of Success is bounded from below 
by expression (0); by assumption, however, the discrete logarithm problem is 
intractable and thus: 

(0 < Pr [Success] < negl{k). 

Putting everything together gives the desired result. □ 

Note that the proof of non-malleability is exactly the same even if the mes- 
sage is hashed before commitment. Equiv can still perfectly equivocate to any 
(random) message M by first computing m = 'H(M) and then running the 
identical Equiv 2 algorithm. The simulator A' is also identical (messages will be 
longer, but this does not affect the analysis). The hash function must be colli- 
sion resistant for the binding property to hold, but no other assumptions about 
the hash function are necessary, and the scheme is still perfectly secrei0 The 
present scheme therefore gives a practical method for committing to arbitrarily 
long messages. 

We remark that by making minor modifications to the above protocol, it can 
be proven secure in the public random string model as well. 

We give an alternate proof of Theorem Q in App. 0 This proof, while more 
complicated than the proof given above, achieves a slightly stronger security 
guarantee by using a simulator which runs in expected polynomial time. 



4.2 Construction Based on RSA 

We have also developed an efficient non-interactive, non-malleable perfect com- 
mitment scheme based on the RSA assumption. Since the ideas underlying this 
construction, as well as the proof of security, are substantially similar to the 
scheme presented above, we defer details to the full version of this paper. 



5 Extensions 

There are extensions of our scheme which may be of practical value: 

Reducing the commitment size. Our schemes produce commitments com = 
(A, B^Tag) of size 3fc, where k is the length of the string representing a group 



This can be compared to M which requires added complications when using an 
arbitrary hash function and achieves only statistical secrecy. 
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element. However, inspection of the proof of Thm. Q reveals that one can re- 
place this with any string that uniquely binds the sender to com. At least two 
modifications in this vein seem useful: 

— Using a collision-resistant hash-function h, we can replace the commitment 
com with h{com). The decommitment phase is the same as before. This 
does not increase the computational cost of the protocol by very much. The 
resulting commitment size is the output length of a hash function believed 
to be collision-resistant, e.g. SHA or MD5. In particular, this allows us to 
achieve optimal commitment size 0(a;(log k)), assuming an appropriate hash 
function. Note that this approach (hashing the commitment) does not seem 
to give provable security for general non-malleable commitment schemes, yet 
it does work (as can be seen by careful examination of the proof) for the 
particular construction given here. 

— By adding one more public parameter and making appropriate (small) mod- 

ifications to the scheme, we can set the commitment to the product of 
A, i? and Tag (assuming Tag is computed as which serves as an 

information-theoretically secure MAC). This reduces the commitment length 
to k. We defer a proof of security to the full version of the paper. 

Unique identifiers. As mentioned in El , in many situations there is a unique 
identifier (ID) associated to each user and using them can improve the efficiency 
of non-malleable primitives. This is also true of our scheme. If each user in 
the system has ID id € we can simplify the scheme by replacing a with 
id. An adversary who attempts to generate related commitments must do so 
with respect to his identifier id' ^ id. The public parameters are p, q and three 
generators gi,g 2 : 93 - The commitment \s B = {g\‘^ g 2 )"^ 9^^ (the components A 
and Tag are no longer needed, since their only role in the original protocol was 
to force an adversary to change a) . The proof of non-malleability is the same as 
for the original scheme except there is no need to handle cases 1 and 2. 
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zero probability of decryption erroiQ. Thus, revealing the randomness used to 
generate the commitment perfectly binds the sender to the message. 

The proof of non-malleability with respect to commitment will imply that 
the scheme is semantically secure (this has been noted previously for the case of 
encryption ECHI, but a similar result holds for the case of commitment). Note 
that if we can prove that Q constitutes a non-malleable (public-key) encryption 
scheme, we are done. Using the results of |2|, it suffices to prove that O is secure 
under adaptive chosen-ciphertext attack. 

Consider an adversary A who has non-negligible advantage in attacking O 
under an adaptive chosen-ciphertext attack. Define adversary B which uses A 
as a black box to break fpk under an adaptive chosen-ciphertext attack (the 
notation V{-) means that B is given access to a decryption oracle for £pk): 



Algorithm pk) 

(Mo,Ml,s)^<^■^(l^pk) 
{ 0 , 1 }'= 
b ^ {0, 1} 

C^£*K{Mk) 
return (AT, 0^=, {C, s)) 



Algorithm B^^'\y, (C, s)) 

b' ^ A^^'\y o C, s) 

if 6' = 6 return 1 
else return 0 



The notation T>{-) means that decryption oracle queries of A are handled by 
B in the following way: in the first stage, when A submits ciphertext y' o C' 
to its decryption oracle, B submits y' to its decryption oracle for fpk, receives 
key AT', and then computes M' := 'Dk'{C). In the second stage, B answers as 
before except that A might submit a ciphertext yoC' . Note that B would not be 
allowed to submit y to its decryption oracle, since he cannot ask for decryption 
of the challenge ciphertext. Instead, B “assumes” that y is an encryption of AT, 
and computes the response M T>k{C). Adaptive chosen-ciphertext security 
of fpk implies that the advantage of B is negligible. 

We now consider the following adversary which uses A as a black box to 
break £* under an adaptive chosen-ciphertext attack. Here, the notation T>{-) 
means that C is given access to a decryption oracle for £^ (where K is some 
secret key unknown to C). We let Gen denote the algorithm which selects public 
and private keys for £ . 



Algorithm cf^'^(l'=) 

(pk,sk)<— Gen(l'=) 

(Mo,Mi,s) ^ Af■^(l^pk) 
y ^ £pk(0'=) 

return (Mq, Mi, (y, sk, s)) 



Algorithm (j/, sk, s)) 

b' ^ A^^'^(yoC,s) 

return b' 



This can be relaxed slightly, but since many commonly-used encryption schemes 
already have this property, we assume it here for simplicity of exposition. 
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Here, the notation T>(-) means that decryption oracle queries of A are handled 
by C in the following way: in the first stage, when A submits ciphertext y' oC' to 
its decryption oracle, C decrypts y' to get K' (it knows the secret key) and then 
computes M' := 'DK'iC'). In the second stage, however, C answers as before 
unless A submits a ciphertext yoC . In this case, C submits C to its decryption 
oracle for and returns the result to A. Adaptive chosen-ciphertext security 
of E* implies that the advantage of C is negligible. 

Informally, define the following probabilities of success: 

Po,. " Pr[A^(-)(fpk(if) o f^(Mo)) = 0] 
po./ =' Pr[A^('H£pk(0'=) o f^(Mo)) = 0] 
pi,, = Pr[A^(')(£pk(if) o = 1] 

pij Pr[A^(')(£pk(0'=) = 1], 

B’s advantage is given by 1/2 {1/2(1 — poj) -I- 1/2(1 — pi j)} -|- l/4(po,r +Pi,r)- 
C’s advantage is given by l/2(poj +pij). Note that these are both negligible, 
by the arguments advanced above. Finally, the advantage of A in the original 
experiment is given by l/2(po,r+Pi,r)- Simple algebra implies that A’s advantage 
must be negligible. 

Note that adaptive-chosen-ciphertext-secure private-key encryption schemes 
can be constructed using a one-way function, while non-malleable public-key 
encryption schemes (with 0 probability of decryption error) are known to exist 
assuming trapdoor permutations HIES!. This completes the proof. □ 



B Alternate Proof of Theorem E 

In this section, we present an alternate proof of Theorem ^ which in fact gives 
us a stronger security guarantee. First, notice that in the previous proof, the 
simulator had to cut off the simulation after 2e“^ln2e“^ steps. This is because 
for some values of the initial setup 7, it is possible that the adversary would 
not decommit at all, and thus that the simulation would never terminate. This 
is an essential problem with the sort of simulation described above: even if the 
fraction of “bad setups 7” were barely noticeable, the expected running time of 
the simulation might be infinite! 

Instead, we give a simulation which always runs in expected polynomial time, 
provided that the adversary succeeds with noticeable probability. To do so, we 
adapt the proof technique of DIO |0|. Unfortunately, one cannot apply their 
proof directly here since their proof relies on the fact that the DIO commitment 
scheme is statistically binding. 

Let be the success probability of the adversary in the original basic ex- 
periment for non-malleability with respect to opening, i.e. p_A = Succ^'^ nik). 
For a given simulator A', let p_4' denote the simulator’s success probability, i.e. 
PA' = Succ^'^d__r(A:). We will construct a simulator A' such that pA — PA' < 
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negl{k) j the expected running time of A' is polynomial in Notice 
in particular that when the adversary’s probability of success is noticeable, our 
simulation does (essentially) at least as well as the original adversary, and runs 
in expected polynomial time. 

The simulator A' is simple: it runs the adversary in the basic non-malleability 
experiment until the adversary succeeds; it then outputs whatever m2 the adver- 
sary succeeded with. We describe two equivalent formulations of this simulator 
below. The first simulation generates all its parameters honestly; the second 
simulation uses the equivocator of the previous section. 



mi, m2 :=T 
comi, com2 '■= 0 
Repeat until R{mi,m2) = 1 
and comi yf com2 : 
CT ^ TTV{\^) 
mi •<— T> 

(comi, deci) S{(t, mi) 
com2 - 4 (cr, comi) 
dec2 ^ A(a, comi, deci) 
m 2 com2, dec2) 

Output m2 



A'2(I^V) 

mi, m2 :=T 
comi,com2 ■= 0 
Repeat until R(mi,m2) = 1 
and comi ^ com2 ■ 
(a, comi,s) ^ Equiv(l^) 
Fix random coins uj 
com2 := -4(cr, comi; to) 
mi T> 

deci := Equiv(s,mi) 
dec2 := -4(cr, comi, deci) 
m 2 ■= 'R-(o', com2, dec2) 

Output m2 



From the point of view of the adversary, both of these simulations are equiv- 
alent, since the equivocator creates a public string a and a commitment com 
which are from the same distribution as the “real” strings a and comi. Thus, 
the output distribution of the two simulations is the same, and hence so is their 
probability of success. Moreover, both simulations expect to make ^ calls to 
A, and thus their expected running times are essentially the same. 

The only difference between the two simulations is that in the first simulation 
A!i, the simulator knows no more than the adversary about the relationship of 
the public parameters 51, 52, 53, "H, and so all three of these values could come 
from an outside source. In the second simulation A!^, only gi and g^ can come 
from an outside source; 52 and the other parameters are carefully constructed. 

As before, we now consider the three possible cases. 

Cases 1 and 2. Consider the first simulator A ' l - As mentioned above, it does 
not choose the public parameters gi, g2, gs, H, and so the analysis from the 
previous proof of cases 1 and 2 tells us that the probability of either of these cases 
is negligible. (Otherwise, the simulator would break either the computational 
binding of the Pedersen scheme or the intractability of finding collisions for the 
hash function). 

Hence, we can assume even in the second simulation that whenever the ad- 
versary generates a new commitment to which he decommits, we have H(A') 
H(A). 
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Case 3. As in the previous proof, we denote the generation of a tuple 7 = 
{a, com, s,Lu) by the shorthand 7 ^ C(l^). Note that these variables uniquely 
determine both comi and com,2- Moreover, once the simulator chooses mi, the 
decommitted message m2 is completely determined by mi and 7. For conciseness 
we write simply m2 = M(mi,7). By convention, we will take M(mi,7) =_L 
whenever the adversary refuses to decommit or simply copies the commitment 
(i.e. com2 = comi). 

On one hand, we can calculate the adversary’s success probability, using the 
properties of the equivocator: 

PA = Pr [7 ^ r(l'= ); mi ^ V : m2 = M(mi, 7) and i?(mi, m2)] . 

We can also calculate the success probability of the simulator (second formula- 
tion): 

PU' = Pr 7^0(1^); : R{m'i,A{mi,^)) R{mi,A{mi,^)) 

Pr [7^0(1^); : R{m[, A{mi,^)) and R{mi, A{mi,'j))] 

PA 

The numerator in the last expression can be interpreted as the success probability 
of the following experiment: 

Choose mi at random, and run the simulation to obtain a decommitment 
to a message m2. Then pick a new message m'l at random and see if both 
R{mi,m2) and R{m{,m2) hold. 

Now intuitively, we expect that for any given 7 the adversary can only decommit 
to one valid message. We want to use that intuition to show that the success 
probability of the experiment above is no worse than the following: 

Choose mi and obtain m2 as before. Now, for the same setup 7, pick a 
new message m[ and run the simulation to get m^. Output a success if 
both R{mi,m2) and R{m'i,m'2) hold. 

This intuition is captured in the following lemma: 

Lemma 2. Let m2 = A{mi,^), and m'2 = A{m'i,^), where 7, mi,m'i are cho- 
sen as in the previous discussion. Then we have: 

Pr [i?(mi, m2) A i?(mi, m2)] > Pr [i?(mi, m2) A i?(mi, m^)] — negl{k). 

Proof For any two events A and B, we have P{A) — P{B) < P{A\B). Thus: 

Pr [i?(mi, m2) A i?(mi, m^)] — Pr [i?(mi, m2) A i?(mi, m2)] 

< Pr i?(mi, m2) A i?(mi, m2) A i?(m(, m2) . 

Now this last event occurs only when m2 and m'2 are different, yet both of them 
are valid messages. However, such an event allows extraction of the discrete log 
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of 53 with respect to g\, even in the setting of the second simulation. Since A is 
polynomial time, this probability must be negligible in k. □ 

Using the lemma and the shorthand notation set up in the lemma, we get: 



_ ^ Pr m2) A m2)] ^ Pr [i?(mi, m2) A i?(m^, m^j — ne5^(fc) 



PA 



PA 



Recall that once 7 and mi are fixed, m2 is also fixed. Similarly, m^ is fixed 
once 7 and m'l are fixed. Thus, we can write: 



PA' > 



[7 = ^(1'")] • Pr [i?(mi,m2) | 7] • Pr [i?(mi, m'2) | 7]) - negl{k) 



PA 



[7 = P(l'')] • Pr [i?(mi,m2) | 7]^) - negl{k) 



PA 

For any random variable X we have > [E{X)Y . Applying this to the 

numerator we get: 



PA' > 



(Z)-, Pr [7 = ■P(l'')] ■ Pr m2) | 7]) - negl{k) 



PA 



But the numerator is simply {pjCj . Thus pA' > PA ~ 



egl(k) 
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Abstract. In this paper we show how to convert a statistically binding 
but computationally concealing quantum bit commitment scheme into 
a computationally binding but statistically concealing QBC scheme. For 
a security parameter n, the construction of the statistically concealing 
scheme requires 0{n^) executions of the statistically binding scheme. 

As a consequence, statistically concealing but computationally binding 
quantum bit commitments can be based upon any family of quantum 
one-way functions. Such a construction is not known to exist in the clas- 
sical world. 

1 Introduction 

Finding the weakest computational assumptions from which the basic crypto- 
graphic primitives can be based upon is important for the theoretical founda- 
tions of cryptography. Protocols for secure 2-party computations are usually 
built from two basic and fundamental cryptographic primitives: Bit commit- 
ment and oblivious transfer. Classically, one-way functions are necessary and 
sufficient for secure bit commitment but not for oblivious transfer unless a ma- 
jor breakthrough is achieved in complexity theory im. This suggests that 
in classical cryptography, bit commitment is a weaker primitive than oblivious 
transfer. Bit commitments come in two main flavors: binding but computation- 
ally concealing and concealing but computationally binding. Informally, binding 
means that whatever the committer does, it is impossible to open both 0 and 1 
with non-negligible probability of success (this is sometimes called statistically 
binding) . Concealing means that the receiver cannot obtain more than a negligi- 
ble amount of information about the committed bit (i.e. statistically concealing). 
The weakest known computational assumption from which bit commitment can 
be based upon depends on its flavor. Binding but computationally concealing 
bit commitments can be based upon any one-way function namzi. On the 
other hand, the weakest known assumption for concealing but computationally 
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binding commitments is the existence of one-way permutations EHl. It seems 
that in the classical world, concealing commitments are more difficult to achieve 
than binding ones. The two flavors allow for different cryptographic applications. 
For example, computational zero-knowledge proofs |8IHI can be constructed from 
binding commitments whereas perfect zero-knowledge arguments ^ use conceal- 
ing commitments. 

In quantum cryptography, computational assumptions are also required for 
bit commitment and oblivious transfer 11511611^ . The standard computational 
assumptions for the quantum case are defined as in the classical case except that 
they must resist quantum inverters. A quantum one-way function is simply a clas- 
sical function / : {0, 1}" — >■ {0, for which given any x € {0, 1}", /(x) can 
be efficiently computed by a quantum computer but finding x' G f~^{y) given 
y := /(x), (when x Gr {0,1}") is hard. In 0, a concealing quantum bit com- 
mitment scheme is built from any quantum one-way permutation. The resulting 
scheme, although improving the communication complexity of the known clas- 
sical protocols, requires the same kind of assumption as in the classical case. In 
this paper, we show that the computational assumption for concealing quantum 
bit commitment schemes can be weakened compared to its classical counterpart. 
Our construction relies upon the QOT protocol for quantum l-out-of-2 oblivi- 
ous transfer of Crepeau jn|. The QOT protocol can be seen as a construction of 
quantum oblivious transfer from a black-box for bit commitment [t)l 1 1)) . There- 
fore and unlike the classical case, there exists a black-box reduction of quantum 
oblivious transfer to bit commitment. 

Our main contribution consists in showing how any statistically binding 
quantum bit commitment scheme can be transformed into a statistically con- 
cealing one. The construction is obtained by using the QOT protocol together 
with statistically binding but otherwise computationally concealing commit- 
ments (these commitments will be called initial commitments in the following). 
Using the QOT protocol that way, we construct a simple quantum commitment 
scheme that we show statistically concealing and computationally binding. The 
construction converts the flavor of the initial commitments after calling them 
O(n^) times for n a security parameter. As a byproduct, we show that the QOT 
protocol is an oblivious transfer that statistically hides one out of the two bits 
sent and computationally conceals the receiver’s selection bit whenever it is used 
together with statistically binding but computationally concealing commitments 
instead of perfect commitments given as black-boxes. This extends the security 
result for the QOT protocol of |f)| I Dj to the computational case. Our reduction 
of an adversary for the binding condition of the resulting commitment scheme 
to an adversary for the concealing condition of the initial commitment is ex- 
pected polynomial-time black-box. Although quantum information has peculiar 
behaviors adding complexity to the security proofs of cryptographic protocols, 
we shall see that using quantum oblivious transfer as a primitive allows to return 
to an essentially classical situation. This might be of independent interest for 
the construction and analysis of complex quantum protocols. 
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One consequence of our result is that statistically concealing but computa- 
tionally binding quantum commitment scheme can be based upon any quantum 
one-way function using Naor’s construction from pseudo-random bit gener- 
ators. Only the ability to send and receive BB84[TI qubits is required in order to 
get the new flavor. The scheme can therefore be implemented using current tech- 
nology. Our result gives more evidences that computational security in 2-party 
quantum cryptography enjoys different properties than its classical counterpart. 

Paper’s Organization. We introduce tools and definitions in Sect.0 The proto- 
col by which the flavor of an originally binding but computationally concealing 
commitment is transformed into a concealing but computationally binding com- 
mitment is described in Sect. 0 The security proof of our construction is given 
in Sect. 0 and Sect. 0 In Sect. 0 we show that the resulting commitment is 
computationally binding if the original one was computationally concealing. We 
then prove in Sect. 0that if the initial commitment scheme is binding then the 
resulting one is concealing. We finally conclude in Sect.|Sl 

2 Preliminaries 

2.1 Tools 

Let X ~ B(j>) be a Bernoulli random variable with probability of success p 
(when X = 1). The following simple argument will be useful: 



Hybrid Argument. Let X = {Xi,X 2 , ■ ■ ■ , X„} be a set of independent random 
variables Xi ~ B{pi) for 1 < i < n. Then, there exist 1 < fc < n such that, 

I I ^ K - pil 

\Pk+i -Pk\ > ■ ( 1 ) 

n 

The result also holds without the absolute values. Later, we shall be given X 
without the values of the pi’s but only circuits (quantum or classical) R; for 
sampling in each Xi G X{\.e. P (R^ = 0) = pi) and a guarantee that (0) holds for 
some k. In this scenario, we shall need an algorithm for estimating the pi’s and 
one for finding k' that satisfies a drop similar to ( 0 . 



Estimating the pi’s. Let R be a circuit for sampling in B{p) where p = 

0 < g < 1 is a known constant, and p{n) is a positive polynomial. It is easy to 
devise an algorithm LowBound(R, q, n) that satisfies (see for the proof and 
the algorithm): 

Lemma 1. For n sufficiently large, LowBound(R, g, n) returns such that 
~ except with probability 2~“",a > 0 and after calling R 

an expected 0(n^p(n)^) times. 
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Finding a Drop. Let = {Pi}iLo be a family of Bernoulli distributions 

with unknown parameters 0 < pi < 1 for every 0 < t < m and such that 
Pk* —Pk*+i > for some 0 < k* < m. Let S be a sampling circuit for T> that 
given 0 < I < m runs (i-C. P (S(^) = 1) = 1 — P (S(?) = 0) = pi). We would 
like to find k that exhibits a polynomial drop p^ — Pk+i similar to pk* — Pk*- It 
is not difficult to find an algorithm FindDrop that finds k (using the sampling 
circuit S as a black-box) such that (see jlSj for the proof and the algorithm) : 

Lemma 2. Given a family of Bernoulli distributions = {Pz}^i 'with 

sampling circuit S such that pk* — Pk*+i for some 0 < k* < m — 1, 

algorithm FindDrop(S, returns k such that p^— Pk+i > 2pfn) except with 

negligible probability 2~“", a > 0 and after calling S at most 0{mfnp{nY) times. 

2.2 Notations and Model of Computation 

For simplicity, we shall often drop the security parameters associated with pro- 
tocol executions. When protocols and adversaries are modeled as circuits they 
should be understood as infinite families of circuits, one circuit for each possible 
values of the security parameters. We write poly{n) for the set of all positive 
polynomials. 

Let 'Hn denote a n-dimensional Hilbert space, that is a complete inner prod- 
uct vector space over the complex numbers. The basis {|0), |1)} denotes the com- 
putational or rectilinear or “-F” basis for 7^2 ■ When the context requires, we write 
|5)+ to denote the bit b in the rectilinear basis. The diagonal basis, denoted “x”, 
is defined as {|0)x, |l)x} where |0)x = ^(|0) + |1)) and |l)x = ;^(|0) ~ |1))- 
The states |0), |1), |0)x and |l)x are the four BB84 states. For any x G {0, 1}” 
and 9 G {-F, x}", the state \x)g is defined as where (8> denotes the 

tensor product. An orthogonal (or von Neumann) measurement of a quantum 
state in 'Hm is described by a set of m orthogonal projections M = {Pi}™ i act- 
ing in T-irn thus satisfying where 1^, denotes the identity operator 

in T-Lm- Each projection or equivalently each index i G {1, . . . , m| is a possible 
classical outcome for M.. 

We model quantum algorithms by quantum circuits built out of a universal 
set of quantum gates UQ = |CNot,H,RQ}, where CNot denotes the controlled- 
NOT, H the one qubit Hadamard gate, and Rq is an arbitrary one qubit non-trivial 
rotation specified by a matrix containing only rational numbers 0. The time- 
complexity of a quantum circuit C is the number of elementary gates ||C||iyc; in 
C. In addition to the set of gates lAQ, a quantum circuit is allowed to perform 
one kind of von Neumann measurement: Ai+ = {P(}, P}" } where P(j" = |0)(0| and 
P{" = |1)(1| are the two orthogonal projections of the computational basis. AI+ 
is sometimes called the measurement in the rectilinear or computational basis. 
Another von Neumann measurement used by the receiver in the BB84 quantum 
coding scheme is the measurement in the diagonal basis A4 x = (Pq > Pf } for 
Pq = 5(10) -F |1))(|0) -F |1))I and Pf = ^(jO) — |1))(|0) — |1))I where I denotes 
the transposed-complex conjugate operator. The Hadamard gate H is sufficient to 
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build measurement Aix from A4+ since Aix = {HPJhI, HP^hI}. For x € 

{0, 1}" and f3 S {+, x}" we write Pf = (8>"^iPfb If |if') € Ha^Hb is a composite 
quantum state, we write P^l'?') (i.e. P^®l^|iF)) for the projector applied to the 
registers in Ha along the state |a:) for x G {0,1}^™^^^^. The classical output 
L(|iF)) of circuit L is the classical outcomes of all von Neumann measurements 
A4+ taking place during the computation L|!F). If the circuit L accepts two 
input states of the form |tFo) ® liFi) we may write similarly L(|!?b), llZ^i)) for the 
classical output. 

A 2-party quantum protocol is a pair of interactive quantum circuits (A, B) 
applied to some initial product state \xa)^ ® \xb)^ representing A’s and B's 
inputs to the protocol neglecting to write explicitly the states of A’s and B’s 
registers that do not encode their respective input to the protocol (thus all in 
initial states |0)). Also, we shall often write \xa)^\xb)^ for the product state 
without explicitly writing the tensor product 0. Since communication takes place 
between A and B, the complete circuit representing one protocol execution may 
have quantum gates in A and B acting upon the same quantum registers. We 
write A Q B for the complete quantum circuit when A is interacting with B. 
The final composite state final) obtained after the execution is then written 

as \'P final) = {AQ B)\xa)"^\xb)^ ■ 



2.3 Cryptographic Primitives 

The two relevant quantum primitives we shall use heavily in the following are 
quantum bit commitment and quantum oblivious transfer. They are defined as 
straightforward quantum generalizations of their classical counterparts. 



Quantum Bit Commitment. A quantum bit commitment scheme is de- 
fined by two quantum protocols ((C^,C^), (O^, O^)) where is a 

pair of interactive quantum circuits for the committing stage and (0^,0^) 
is a pair of interactive quantum circuits for the opening stage (i.e. A be- 
ing the committer and B the receiver). The committing stage generates the 
state |<Ff,) = {C^ © C^)|6)"^|0)^ upon which the opening stage is executed: 
final) — {O 0 0^)|<Ff,). The binding condition of a quantum bit commit- 
ment is slightly more general than the usual classical definition. An adversary 
A = is such that \^) = © C'®)|0)"^|0)'® is generated during the 

committing stage. The dishonest opening circuit tries to open b G {0, 1} given 
as an extra input bit \h)^. Given the final state final) = {O^ © 
we define Sh{n) as the probability to open b with success. More precisely, 
Sb{n) = \Kk, bWfinai)W^ where '^oKb Bob’s projection operator on the sub- 
space leading to accept the opening of b. An adversary A of the binding condition 
who can open b = 0 with probability at least so(n) and open b = 1 with proba- 
bility at least si(n) will be called a {sQ{n) , si{n))- adversary against the binding 
eondition. We define the concealing and binding criteria similarly to [6]: 
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(computationally) binding: There exists no positive polynomial p{n) and 
quantum Si(ft))~adversary A such that So{n) + Si(n) > 1 + 

for n sufficiently large. The scheme is computationally binding if we add the 
restriction that ||^||ws C poly{n). 

(computationally) concealing: For every interactive quantum circuit 
for the committing stage, all quantum circuits acting only upon 
B’s registers, all positive polynomials p(n) and n sufficiently large, 

P (l^((C''^ 0 C^)| 6 )^|O)®) = 5 ) < 5 + ^ where the probabilities are 
taken over b {0, 1}. The scheme is computationally concealing if we add 
the restriction HC^Hms + G poly{n). 

Note that the concealing and binding conditions are statistical not perfect. 

Quantum Oblivious Transfer. A 1-2 quantum oblivious transfer protocol 0 
involves a sender Alice holding input bits ( 6 oj^i) and a receiver Bob holding 
input c G {0,1}. Alice sends {bo, bf) to Bob in such a way that Bob receives only 
be and Alice does not get to know c. The receiver must not be able to find he for 
at at least one c G {0, 1} and even given be- More precisely, a protocol {A, B) 
for 1-2 quantum oblivious is such that \^{bo,bi,c)) = {Aq B)\bobi)"^\c)^ allows 
Bob to recover be from applying A1+ upon one of his registers. A protocol for 
1-2 quantum oblivious transfer is (computationally) secure if it is both 

(computationally) secure against the sender: For every quantum sender 
A, all quantum circuit acting only on A’s registers, all positive polyno- 
mials p(n) and n sufficiently large, P (^L^{{A Q B)\00)^\c)^) = < 5 + ^;^ 

where the probabilities are taken over c G_r |0, 1|. The security is computa- 
tional if we add the restriction G poly{n). 

(computationally) secure against the receiver: For every quantum re- 
ceiver B, all quantum circuits acting only on B’s registers, all positive 
polynomials p{n) and n sufficiently large, there exists a random variable c 
with possible outcome 0 or 1 depending on {A 0 B)\bobi)^\0)^ satisfying 
P 0 B)|&o^i)"^|0)^, \be)^) = bc'j < i ^here the probabilities 

are taken over bo, bi G/j {0, 1}. The security is computational if we add the 
restriction \\B\\ug + \\L^\\ug G poly{n). 

As for bit commitment, the security is statistical not perfect. 

3 The Protocols 

In this section, we first describe the QOT protocol of 0 for 1-2 oblivious transfer. 
Then, we describe a simple quantum bit commitment scheme QBC, using QOT 
as a sub-protocol, that transforms any binding bit commitment scheme into a 
concealing one. Throughout this paper, we assume for simplicity that quantum 
transmission is error-free. 
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3.1 QOT Protocol 

The QOT protocol j^j is based upon the BB84 quantum coding scheme [Q. If the 
receiver (Bob) of a random BB84 qubit |s)/ 3 ,s Gr {0,1}, /3 Gr {+, x| measures 
it in basis /3 {+, xj upon reception, then a noisy classical communication of 

bit s from Alice to Bob is implemented. Moreover, if later on Alice announces 
/3, then Bob knows that he received s whenever j3 = f3 and an uncorrelated bit 
whenever P ^ p. The QOT protocol amplifies this process in order to get a secure 
1-2 oblivious transfer. In order to ensure that Bob measures the BB84 qubits 
upon reception, bit commitments are used. Bob commits upon each measurement 
basi^ and measurement outcome right after the quantum transmission. Alice 
then verifies in random positions that Bob has really measured the transmitted 
qubits by testing that whenever P = P then Bob’s classical outcome r G (0, 1} 
is such that r = s. 

In the following, we assume that Alice and Bob have access to some bit 
commitment scheme BBC in order for Bob to commit upon the measurement bases 
of the received qubits together with the outcomes. Since the two commitments 
are made together, we write BBC(a:, j/) where x G {+, xj and y G {0, 1} for the 
commitments of both the measurement basis and the measurement outcome. 
BBC may be given as a black-box for bit commitment or may be provided from 
some computational assumption. We denote by Open-BBC(x, y) the opening stage 
of BBC(x, y). Protocol QOt(&o, ^i)(c) achieves the oblivious transfer of bit be- 



Protocol 1 ( qot(6o, 6i)(c) ) 

1: For 1 < i <2n 

- Alice picks Si Gr (0, 1}, Pi Gr (-I-, x} 

— Alice sends to Bob a qubit iVi in state Ispp^ 

— Bob picks a basis Pi Gr {-|-, x}, measures ni in basis Pi, and obtains the 
outcome ri G {0, 1} 

2: For 1 < i <n 

— Bob runs BBC{pi,ri) and BBC{Pn+i,rn+i) with Alice 
— Alice picks fi Gr (0, 1} and announces it to Bob 

- Bob runs Dpen-BBC(/3„/.+i, 

— Alice verifies that Pnfi+i = Pnfi+i => Sn/j+i = rnf^+i, otherwise she 
rejects the current execution 

- if fi = 0 then Alice sets Pi Pn+i and Si s^+i and Bob sets pi <r- Pn+i 
and n ■(— r„+i 

3: Alice announces her ehoices of bases Pi, P 2 , . . . , Pn to Bob 

4: Bob chooses at random and announees two subsets of positions Jo,Ji C 

{1, 2 , . . . ,n}, I Jol = 1 Ji| = |, Jo n Ji = 0, and Vi G Jc, Pi = Pi- 

5: Alice computes and announces 60 = © Sj © foo emd foi = © Sj © 61 

j^Jo ie-Ji 

6 : Bob receives ( 60 , 61 ) and computes 6 c = © ri © 6 c 

i&Jc 



The bases {+, x} are encoded in {0, 1}. 
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Known Security Results. The correctness and the security of the QOT pro- 
tocol against the sender (Alice) has been reduced to the concealing property of 
BBC in p|. The security against the receiver (Bob) has been provided by Yao in 
m given the commitment scheme BBC is perfectly binding. That is, given BBC is 
a perfect black-box for bit commitment then QOT is secure against any dishonest 
Bob irrespectively of his computing power. 

3.2 QBC Protocol Using QOT 

Given a binding but computationally concealing bit commitment scheme BBC 
in QOT the following simple commitment scheme will be shown concealing and 
computationally binding. 



Protocol 2 ( qbc(6) ) 

1: qbc-commit(6) 

— For 1 < j < 11 

• Alice prepares aoj Gr {0, 1} and aij = aoj © b 

• Bob prepares Cj £r {0, 1} 

• Alice and Bob execute QOT(aoj, aij)(cj) and Bob receives the result 
dj 

2: qbc-open(&) 

• Alice announces b 

• For 1 < j < n 

• Alice announces aoj and aij 

• Bob verifies that b — aoj © aij and dj = Ocjj 

A commitment to bit b is done by sending through 1-2 oblivious transfers n 
pairs of bits {(aoj) aij)}"=i such that aoj © aij = b. The concealing condition 
relies on the security of QOT against a malicious receiver and the binding con- 
dition relies on the security against a malicious sender. Intuitively, QBC appears 
concealing since for 1 < j < n Bob cannot obtain information on more than 
one of the two bits (aoj,aij) input in the j-th QOT and so, cannot determine 
b = aQj(Baij. Similarly, QBC should be binding since for all 1 < _) < n Alice needs 
to change the bit a^^j not selected by Bob in order to change her commitment. 

More Notations. In the following we shall have to identify the variables gen- 
erated during all calls to QOT in QBC. For that purpose, we use the following 
notation: 

— Trf is the i-th qubit sent in the j-th call to QOT in QBC. 

— /3| G {+, x} is the basis Pi announced by Alice in the j^^ run of QOT in 

QBC. Note that a malicious Alice can send nf other than |0)^j and |I)^j . 

— £ {+, x} is the basis used by Bob to measure nf in the j-th call to QOT. 

— rj G {0, 1} is the outcome of Bob’s measurement of tt- in basis Pf. 

— f I £ {0, 1} is Carl’s outcome for measurement of tt^ in basis Pf. 

— = ( Jq , ) is the pair of sets announced by Bob in the j^^ run of QOT. 
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We denote by bold lowercases the values for all executions at one glance: j3 = 
= WJhj’ and r = {fjjij. We denote by 6q = . . . , 

and bi — b\, . . . ,b^ the bits announced by Alice at step 5 of each call to QOT. Sim- 
ilarly, we denote by a = (ao,ai) = (aoi,aii),(oo 2 ,ai 2 ),...,(aon,ai„) e {0,1}^” 
Alice’s announcements during the opening stage. We also denote Jq = Jq, . . . ,Jq 
and Ji = Jj , . . . , J” all sets announced by Bob and we write J — ( Jq, Ji). Let 
c = Cl , . . . , c„ be all selection bits used by Bob and let d = di,. . . ,dn be all 
bits received by QOT. We write Jc = , • ■ • , for all set of positions 

corresponding to qubits measured by Bob in bases announced by Alice. 

4 The Binding Condition 

In the following section, we show that QBC is secure against any Alice (the 
sender) who cannot break the concealing condition of the initial commitment 
scheme BBC. BBC is used in the calls to QOT in order for Bob to commit on his 
measurements and outcomes. 



Simplified Version of QOT. In our analysis of the binding condition of QBC, 
we shall assume that the opening of half of the commitments in step 2 of QOT 
doesn’t occur. The opening of the commitments allows Alice to make sure that 
Bob measured the qubits received in QOT upon reception. This test is not relevant 
to the binding condition of QBC. 



Protocol 3 ( QOT*(&o, ^i)(c) ) 

1: ...step 1 of protocol 2 
2: For 1 < i < n 

— Bob runs BBC{Pi,ri) and BBC{l3n+i,rn+i) with Alice 
— Alice picks fi Gr {0, 1} and announces it to Bob 

— if fi — 0 then Alice sets j3i ■ 4 — f3n+i and Si 4 — s„+i and Bob sets Pi 4 — p„+i 
and n 4 - r„+i 

3—6: ...as steps 3 to 6 in protocol 2. 



We omit the proof of the following simple lemma: 

Lemma 3. If QOT* is secure against the sender then QOT is secure against the 
sender. 

Throughout Sect.01 we shall assume implicitely calls to QOT* in QBC instead of 
calls to QOT. This simplifies the analysis and according to Lemma 0 it can be 
done without loss of generality. 

4.1 How to Prove the Binding Condition 

In order to show that QBC is computationally binding, we introduce intermediary 
protocols that will allow us to bridge the security of QBC with the known security 
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of QOT given black-boxes for bit commitments. Let’s consider the following four 
modified protocols: 

U-QOT: Protocol QOT except that in step 2, Bob commits to random values. In 
other words, for 1 < i < n, Bob runs BBC(uoi,uii) and BBC(tt 2 i,M 3 i) with 
Mo*, U 2 i {-h, X } and uu, usi €r {0, 1}. 

M-QOT: The same as U-QOT but a third party named Carl, for 1 < i < n, 
intercepts the i-th qubit sent by Alice in step 1, measures in basis f3i 
(announced by Alice in step 3) and sends the resulting state to Bob. 

U-QBC: Protocol QBC using U-QOT. 

M-QBC: Protocol QBC using M-QOT. 

The security against any dishonest sender in U-QOT and M-QOT is a direct con- 
sequence of the analysis in Since the commitments upon measurements do 
not carry any information about Bob’s measurement, Alice cannot obtain any 
information about his selection bit c. The security is information-theoretic, no 
complexity assumption on Alice’s computing power is required. 

We reduce the security of the binding condition of QBC to the security of the 
concealing condition of BBC in two steps: 

1. Using Lemmas 0 and ini we conclude in Lemma 0 that u-QBC is binding. 
The modified protocol m-QBC is used for reducing the security of U-QBC to 
the security of U-QOT. Carl’s presence allows one to reduce the analysis to 
an essentially classical argument which becomes simpler than working from 
U-QBC directly. 

2. Theorem 0 establishes the desired result using the fact that an adversary for 
the binding condition of QBC cannot be an adversary of U-QBC (Lemma EJ. 
It is shown how to construct an adversary for the concealing condition of 
BBC given an adversary for the binding condition of QBC. 

4.2 U-QBC Is Binding 

In this section, we show that u-QBC is binding (Lemma EJ) using Lemmas 0 and 
El as intermediary steps. 

First, we show that an adversary against the binding condition of U-QBC can 
be transformed into an adversary against the binding condition of M-QBC. 

Lemma 4. If there exists a {so{n), si{n))-adversary A against the binding eon- 
dition o/ u-QBC there also exists a (so{n), si{n))-adversary A* against the bind- 
ing eondition o/m-QBC. 

Proof. We observe first that A’s announcement of /3 at step 3 of U-QOT commutes 
with step 2. That is, since only commitments to random values are received, A 
can determine (3 without Bob’s commitments. Moreover, A could simulate the 
commitments on her own and then determine (3 before the qubits are sent to 
Bob at step 1. Let A* be the quantum adversary that does that. If A provides 
a (so(m), si(n))-advantage in u-QBC then so it is for A*. We now show that A* 
is also an adversary for the binding condition of M-QBC. 
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Now assume for simplicity and without loss of generality that, Bob in u- 
QBC or Bob and Carl in M-QBC wait until after Alice announces a — (ag,ai) 
before measuring all qubits received. It is easy to verify that this can always 
be done since nothing in the committing stage of U-QBC or M-QBC relies on 
those measurements’ outcomes (i.e. since the commitments are made to random 
values). Clearly, postponing measurements do not influence Alice’s probability 
of success at the opening stage. 

Let V = {f3,J,bQ,bi,c,a) be the partial view in u-QBC or in m-QBC up 
to Alice’s announcement of a (and b since for all 1 < J < n, a^o ® Oji = b) 
in the opening stage. Let V\j and Vm be the random variable for the partial 
view in u-QBC and m-QBC respectively. By construction we have that for all 
V = {f3, J, So, Si, c, a), p{V) = P (Vu = P) = P (Vm = V). Moreover, we have 
that for all partial views V, the joint states |'Z'u(I^)) for U-QBC and 
for M-QBC satisfy |iZ%(P)) = I^'m(P))- Let V& = {(,9, J, Sq, Si, c, a)|(Vl < j < 
n)[ajo © aji = 5]} be the set of partial views corresponding for Alice to open bit 
b. Given V, Bob’s test will succeed if he gets d — = aid, ■ j after 

measuring the qubits in positions in using Alice’s bases for all i G J^. and 
j G {!,..., n}. Let Mtest{V) = {Q^^,l — Q^^.} be the measurement allowing 
Bob to test Alice’s announcement when she unveils b given partial view V G Vf,. 

is the projection for the state of all qubits received in positions in Jc into 
the subspace corresponding to parity dj = ajc^ for all j G {!,..., n}. More 

precisely, where T{VJ) = {x € {0, ' | ©, 

Xi = ajcj © bi-} and f3{V,j) = {Pf\i G Jl.} for all j G {1, . . . ,n}. Let s'^{n) be 
the probability of success when A* opens b in M-QBC. We get that 

s,{n) = Y. p{vmokmv))r = E p{vm^t&n{v))r = (2) 

veVb veVb 

since the only difference between U-QBC and M-QBC is that in the former case 
both Carl and Bob measure the qubits in positions in J ^ with the same measure- 
ment Mtest (this is why we have in Q). Carl’s measurements for 

positions in are irrelevant to the success probability. The result follows. □ 

Next, we reduce the binding condition of m-QBC to the security against the 
sender in m-QOT. We show that from any successful adversary against the binding 
condition of M-QBC one can construct an adversary able to extract non-negligible 
information about Bob’s selection bit in m-QOT. Carl’s measurements in M-QBC 
allows one to use a classical argument for most of the reduction thus simplifying 
the proof that u-QBC is binding. 

Lemma 5. If there exists a {so{n) , si{n))~ adversary A = against the 

binding condition of m-QBC with Sp(n) + Si(n) > 1 + for some positive 
polynomial p(n), then there also exists a cheating sender A* for M-QOT. 

Proof. Let o'q and o' ^ be the two input bits for the j-th call to m-QOT computed 
according to Carl’s outcomes r. Let V be the random variable for the joint view 



How to Convert the Flavor of a Quantum Bit Commitment 



71 



(a, a' , d, c) for an execution of the committing and the opening stages of M- 
QBC between A and an honest receiver B and where A is opening a random bit 
b {0, 1}. Without loss of generality, we assume the announcements made by 
A to be consistent, that is ooi©aii = b for 1 < i < n when she opens bit b. Given 
V = (a, a', d, c), we define the ordered set S{V) = {j|a'g © a'ji yf ajo © aji} C 
{1, . . . , n} of calls to m-QOT for which given view V Alice’s announcement of a 
disagree with Carl’s outcomes a'. Given the ordered set 5'(y) = {cti, CT 2 , . . . , CTs}, 
let Xj(V) G {0, 1} for 1 < j < s be defined as 



X,{V) 



0 if dcTj yf o,ujc„. 

1 if d(jj — • 



We let X{V) = Xi{V),...,Xi(^v){V) for 1{V) = min (|S'(y)|, [f ]). Clearly, 
for A to open with success given V, we must have X{V) = Note that 

P (|S'(V)| > f ) > I since for at least one choice of 6, |S'(V)| > § given that V 
always describes a consistent opening. We easily get that 

P (a(V) = = P (a(V) = - P (a(V) = A 1{V) < I) 

> 1(,.(„) + - ip (X(V) = I'*-- 1 l(V) < f) > 2^. (3) 

Since i}rti ^ (^(^) = 2 ^) ^ for ^ sufficiently large there exists a 

string G {0,1}!^^^ such that P [X(V) = y°) < 4 ^^- Let p be the number 
of zeros in and = {ri,r 2 , . . . ,rp} C {1, . . . , be the ordered set of 

positions 1 < r < \^~\ where = 0. We now define for 1 < j < p the hybrid 
strings = viy 2 ■■■ y ^\ between y^ and 1^51: 



_ J 1 a i = Tk for k < j 
\ Vi Otherwise. 

Hence, P (Ai(y) = yP = 1”) — P (AI(V') = y°) > and we conclude by an 

hybrid argument that there exist 1 < k* < p such that 



p [xiv) = i-) - P {X(V) = A-) > ^ > ■ <'“> 

Note that y^ and y^ differs only by the bit in position where they 
respectively have a 1 and a 0. 

A* uses A and B = in the following way: after choosing h G_r 

{1, . . . ,n}, it makes A interact with a simulated honest receiver B for m-QBC 
except for the h-th execution of m-QOT for which A interacts with the targeted 
receiver for m-QOT. Let V = (a, a', d, c) be the view generated during the ex- 
ecution. Given A*’s view, algorithm produces a guess c for Bob’s selection 
bit c = c/i in m-QOT as follows: 
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- If > ni, h = a.,, and V* G {l, \ {rfe.},X,(F) = yf, 

then c G {0, 1} is defined such that (which necessarily exists since 

hGS(V)), 

— Otherwise, c Gr {0, 1}. 

Let T{V) be the event of a successful test in the previous computation. 
Since independently |<5'(y)| > § with probability at least I, h = crr^^, with 
probability and Vi G \ {r^.}, with probability 

P (X(F) = +P (X(V) = we have that 



P(T(y))> 



P {XjV) 



yfe*) + p(x(y) = yfe*-i) 

2n 



( 5 ) 



Given T{V), the guess c is the only value for Bob’s selection bit c that would 
lead to X{y) = y^ instead of X(V) = y^ (the two strings are the only 
possible given T{V)). We get that 



p(c = c|T(y)) 



F{X{V) = y>^‘) 

P (X(F) = ) + P {X{V) = ' 



( 6 ) 



It follows that {A*,L^ ) is a cheating sender for M-QOT since 



P(c 



c)= ^(l-P(T(y))) + P(r(V))P(5 
1 1 
“ 2 8n{n + l)p{n) 



c\T{V)) 



( 7 ) 

□ 



Using Lemmas El ^ and 0 together with the fact that M-QOT is unconditionally 
secure against the sender 0, we get the desired result: 

Lemma 6. Protocol U-QBC is binding. 

As we shall see next, Lemma 0 helps a great deal in proving that QBC is com- 
putationally binding. 



4.3 QBC Is Binding when BBC Is Concealing 

In the following, we conclude that QBC is computationally binding whenever BBC 
is computationally concealing. We use the fact that U-QBC is binding (Lemma 
0 in order to use any adversary against the binding condition of QBC as a 
distinguisher between random (u-QBC) and real (qbc) commitments for some 
hybrids between u-QBC and QBC. 

Theorem 1. If there exists a {so{n),si{n))-adversary A = against 

the binding condition o/qbc with so(n) + si(n) >1-1- for a positive polyno- 
mial p{n), then there exists a quantum receiver in BBC and a quantum algo- 
rithm such thatP Q C^)\b)"^\0)^) = b^ > I + I^( „ 4 p(„) ) whenever 

b Gr {0, 1} and where calls A an expected 0{n^p{n)'^) times. 
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Proof. Let B = {C^ , O^) be the circuits for the honest receiver in QBC and let 
A be an honest committer in BBC. Given A, we construct a receiver in BBC 
from which a bias for ^’s committed bit can be extracted. Remember that the 
only difference between U-QBC and QBC is that a honest receiver commits to 
random bits instead of his measurements and outcomes. There are 4n calls to 
Commit-BBC per QOT (u-QOt) for a total of 4n^ during the committing stage 
of QBC (u-QBC). Let’s note as significant the committed bits specified by the 
protocol QOT (to measurements and outcomes) and as random the ones specified 
by the protocol U-QOT (to random bits). We describe hybrids in between QBC 
and U-QBC by letting the number of significant and random commitments vary. 
Let QBC^ be protocol QBC but where the first k commitments out of 4n^ are 
made to random values. We have that U-QBC = QBC"'^" is binding whereas 
is a (so(n), si(n))-adversary for the binding condition of QBC° = QBC. Let 
Sj(n) be the probability that A succeeds when opening b G {0,1} in QBC^ for 
0 < fc < 4n^. Defining s^(n) = (sgln) + Si(n))/2, we get that s°(n) > 5 + 2 p(n) 

and from Lemma El s^"^(n) < ^ + where e(n) > p{n) for all p{n) G poly{n) 
and n sufficiently large. By the hybrid argument, there exists 0 < k* < 4n^ — 1 
such that for n sufficiently large, 



s'=*(n)-s'=*+i(n) > 



1 

9n‘^p(n) 



( 8 ) 



Hence, ^> 4 ^ 2 ( is a family of Bernoulli distributions that 
satisfies the condition of Lemma 0 Tbe sampling circuit S is easy to construct 
given A and B. Upon classical input |Z) for 0 < Z < 4n^, S runs A and B 
except that the first I commitments sent from B to A (using BBC) are made 
to random values instead of the measurements /3 and the outcomes r. A then 
opens a random bit b Ga {0,1}. If B accepts the opening of b then S(|Z)) = 1 
otherwise it returns S(|Z)) = 0. Circuit S is therefore a sampling circuit for 
( 9ra4(n) ) ll^llws G 0{\\A\\ug) assuming without loss of generality 

that e 0{\\A\\ug). 

We now construct the adversary C® for the concealing condition of BBC 
given A. In order to use algorithm FindDrop (defined in Sect. 12.111 . must 
first determine a lower bound ^ 7 ^ for the drop • This is done by finding 

a lower bound p{n) for 2 ^^ and then setting p'{n) = |^. G® computes p{n) = 
LowBound(So, n) (defined in Sect. f2. Ill where Sq is the circuit S with the input 
bits fixed to |C1). From Lemma D LowBound returns p{n) such that 2 n^l>(n) — 
p{n) < 2 p\n) oxcept with negligible probability and after an expected 0 (n®p(n)^) 
calls to Sq. 

Now can use FindDrop(S, ^ 7 ^, n) with the family of distributions 
T> 4 „ 2 (^^ 7 ^) = {s*(n)}^"o which exhibits a drop ^ 7 ^ except with negligible prob- 
ability. From Lemma 0, gets 0 < k < 4n^ — 1 such that 



s"(n)-s"+^(n) > 



1 

2p'{n) 



(9) 
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except with negligible probability. The value of k is obtained after calling S 
(including the calls to Sq in LowBound) an expected 0{n^p{n)^) times. 

then uses k for attacking the concealing condition of BBC in the following 
way: It makes A and B interact (where A opens b Gr {0, 1}) as in except 

that the (k + l)-th random commitment is provided by the committer A in BBC. 
Let b G {0, 1} be the bit committed by A. Let V be the random variable for 
the view generated during the interaction between A and B when A opens the 
random bit. Let Ck+i{V) G {0, 1} be the bit that B would have committed if the 
(/c + l)-th commitment was significant. The distinguisher (which is classical 
given the view V) returns the guess b for b the following way: 

— If 17 is a successful opening then b = Ck+i{V), 

— Otherwise, b Gr {0, 1}. 

Let be the set of views for resulting in a suc- 

cessful opening and let Q be the set of values k for which (0 
holds. We have s'‘(n) = P (V G V^j("^|ck+i(V) = 5) and s'^+^(n) = 

(V e V„"+i|c„+i(V) yf 6) + P (V G V„«+i|c„+i(y) = b)) which, using 
( 0 , leads to 

P (y G A c«+i(y) ^b)<F{VG A c.+i(y) = b)~ 

Since we also have P (y G = P {V G A c^+i{V) ^ b) + 

P (y G A c,+i(y) = 6), we get 

P (I = G c;) = P (y G A c«+i(y) = 5 ) + ^ (i - p (y g v:+^)) 

- 2 2p'(n)) ■ 

Since P (i = b^ > P {k G G)P (i = b\K G g'J and P (k G G) > 1 — 2 ““", a > 

0 (Lemma Q) we finally get that is an adversary for the concealing 

condition of BBC providing a bias in = ■0( „4p(„) ) after calling A an 

expected 0{n^p{n)‘^) times. □ 

5 The Concealing Condition 

We now reduce the concealing condition of QBC to the security of QOT against 
a malicious receiver. 

Lemma 7. If there exists a quantum circuit for the receiver in Commit-QBC 
and a quantum algorithm acting only on B ’s registers such that 

P © C'^)|6)"^|0)^) = b'j > I -k for some positive polynomial p{n) 

and an honest committing circuit for b Gr {0, 1}, then there also exists a 
cheating receiver {B*,L^ ) for QOT. 
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Proof. For the receiver and described in the statement, we have 
P (l^((C"^©C^)| 1)^|0)^) = l) - 

P © C®)|0)^|0)^) = l) > 

Let’s define a modification of an honest committing circuit for QBC, noted 
which is the same as but takes a string / G {0, 1}" instead of a bit h and sends 
in the i-th call to QOT the bits ooi G_r {0, 1} and an = aoi © fi for 1 < z < n. 
The circuit with input b is equivalent to with input 6". Once again, by 
an hybrid argument, there exists 1 < fc* < n such that for 

P = i) - 

P = l) 

^ 2 
“ np{n) 

With such value fc*, B* cheats an honest sender A' for QOt(co, ei)(0) in the 
following way: it makes interact with with input (1* -i?Qn-/c ^ 
Commit-QBC except for the fc*-th call to QOT where it makes interact with the 
targeted sender A' with inputs cq, ei G/j {0, 1}. Then, knowing Cc for c G {0, 1}, 
we take the output of b' say, and compute a guess Cc © b' for eg. For this 
algorithm we have 

P © S*)|eoei)^|0)®*, |e,)^*) = eg) = P (6' = eo © ei) 



2 np{n) 



where the probabilities are taken over eo,eiG/j{0,l}. □ 

From Yao’s result m and Lemma 0 it is straightforward to conclude that 
QBC is concealing. 

6 Conclusion and Open Questions 

Having shown in Theorem 0 that a computationally concealing BBC results in a 
computationally binding QBC and, from LemmaQtogether with Yao’s result 
that no adversary against the concealing condition of QBC exists, we conclude 
with our main result: 

Theorem 2. If BBC is binding and computationally concealing then QBC is con- 
cealing and eomputationally binding. 
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For security parameter n, the reduction of an adversary for the con- 

cealing condition of BBC to an adversary for the binding condition of QBC 
is expected polynomial-time black-box. The adversary {{C^ , L^)}n>o is a uni- 
form family of quantum circuits whenever {An}n>o is uniform. It is an interesting 
open problem to find an exact polynomial-time black-box reduction. 

One consequence of Theorem |2| is that concealing commitment schemes can 
be built from any quantum one-way function. We first observe that Naor’s com- 
mitment scheme m is also secure against the quantum computer if the pseudo- 
random bit generator (PRBG) it is based upon is secure against the quantum 
computer. This follows from the fact that any quantum circuit able to distin- 
guish between commitments to 0 and 1 is also able to distinguish a truly random 
sequence from a pseudo-random one. To complete the argument, we must make 
sure that given a quantum one-way function one can construct a PRBG resistant 
to quantum distinguishers. A tedious but not difficult exercise allows to verify 
that the classical construction of results in a PRBG secure against quan- 
tum distinguishers given it is built from quantum one-way functions. We get the 
following corollary which is not known to hold in the classical case: 

Corollary 1. Both binding but computationally concealing and concealing but 
computationally binding quantum bit commitments can be constructed from quan- 
tum one-way functions. 

It would be interesting to find a concealing quantum bit commitment scheme 
directly constructed from one-way functions which improves the complexity of 
our construction. Is it possible to find a non-interactive concealing commitment 
scheme from the same complexity assumption or are such constructions inher- 
ently interactive? It is also unclear whether or not perfectly concealing schemes 
can be based upon any quantum one-way function. 

Although we assumed in this paper a perfect quantum channel, our construc- 
tion should also work with noisy quantum transmission It would be nice to 
provide the analysis for this general case. 
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Abstract. We formalize the notion of a cryptographic counter, which 
allows a group of participants to increment and decrement a crypto- 
graphic representation of a (hidden) numerical value privately and ro- 
bustly. The value of the counter can only be determined by a trusted 
authority (or group of authorities, which may include participants them- 
selves), and participants cannot determine any information about the 
increment /decrement operations performed by other parties. 

Previous efficient implementations of such counters have relied on fully- 
homomorphic encryption schemes; this is a relatively strong requirement 
which not all encryption schemes satisfy. We provide an alternate ap- 
proach, starting with any encryption scheme homomorphic over the ad- 
ditive group Z 2 (i.e., 1-bit xor). As our main result, we show a general 
and efficient reduction from any such encryption scheme to a general 
cryptographic counter. Our main reduction does not use additional as- 
sumptions, is efficient, and gives a novel implementation of a general 
counter. The result can also be viewed as an efficient construction of a 
general n-bit cryptographic counter from any 1-bit counter which has 
the additional property that counters can be added securely. 

As an example of the applicability of our construction, we present a 
cryptographic counter based on the quadratic residuosity assumption 
and use it to construct an efficient voting scheme which satisfies universal 
verifiability, privacy, and robustness. 



1 Introduction 

1.1 Cryptographic Counters 

In this paper we present an efficient and secure protocol for calculating the sum 
of integers, where each integer is held privately by a single participant. Although 
it is clear that this can be achieved via the completeness results for multi-party 
computation (see |1 4j for a complete review of multi-party computation and 
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related results), such constructions are only of theoretical interest as they are 
too inefficient to be of practical use. In order to construct our secure addition 
protocol, we introduce an abstraction we call a cryptographic counter that may 
be of independent interest. In particular, such counters may have a variety of 
applications, especially as subroutines in larger multi-party computations. We 
give a formal definition of cryptographic counters, and provide a construction 
based on any encryption scheme homomorphic over the additive group Z 2 . 

Informally, a cryptographic counter is a public string which can be viewed as 
an encryption of a value such that the value is hidden from all participants except 
a trusted authority (who holds some secret key) . Only the trusted authority can 
decrypt and thereby determine the value of the counter, whereas all participants 
have the ability to increment or decrement (update) the counter by an arbitrary 
amount. Information about updates (e.g., whether the counter was incremented 
or decremented) is kept hidden from all other participants. We also consider 
restricted cryptographic counters for which the set of legal update operations is 
constrained in some publicly-known way. 

Previous constructions of cryptographic counters (in the context of voting 
schemes) have relied on what we call fully-homomorphic encryption. Informally, 
this is an encryption scheme for which, for any no > 0, there is some choice of 
the security parameter such that the resulting encryption is homomorphic over 
(the additive group) Z„, where n > no. It is clear how a cryptographic counter 
can be constructed given this strong property (the difficult aspects of previous 
constructions were providing efficient proofs of validity and achieving threshold 
decryption). In this paper, we provide a construction of an n-bit cryptographic 
counter based on any 1-bit cryptographic counter that also allows secure addition 
(mod 2) of multiple counters. This immediately implies a construction from any 
encryption scheme homomorphic over Z 2 . As a concrete example, we present an 
efficient n-bit counter based only on the quadratic residuosity assumption. 

Addition is a useful function to compute privately, as many of the currently- 
proposed applications of secure multi-party computation rely heavily on sum- 
ming secret values held by different individuals. It has particular relevance to the 
problem of secure electronic voting, in which each participant holds a vote which 
is either 0 or 1, and the participants wish to determine the tally without revealing 
individual votes. As an example of the applicability of cryptographic counters, we 
use them to build a secure voting scheme and compare it to previously-proposed 
solutions. In particular, ours is the first efficient construction of a voting scheme 
which is not based on fully-homomorphic encryption. 



1.2 Secure Electronic Voting 

An electronic voting scheme is a protocol allowing voters to cast a vote by 
interacting with a set of authorities who collect the votes, tally them, and publish 
the final result. There are a variety of properties which may be desired of an 
electronic voting scheme; however, the cryptographic literature has traditionally 
focused on the following three requirements: 
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Privacy ensures that an individual’s vote is kept hidden from (any reasonably- 
sized coalition of) other voters and even the authorities themselves. 

Universal Verifiability means that any party, including a passive observer, can 
be convinced that all votes cast were valid and that the final tally was computed 
correctly. 

Robustness guarantees that the final tally can be correctly computed even in 
the presence of faulty behavior of a number of parties. 



It is furthermore desirable to minimize the interaction between parties. In par- 
ticular, voters should not have to interact with each other to cast a vote or 
(ideally) to prove validity of votes, and the authorities should be able to remain 
off-line until the election is concluded. Other features are not considered in the 
present work. For example, information-theoretic privacy is sometimes required 
P], while we only require computational privacy. Receipt-freeness 0 and pre- 
venting vote-duplication can be achieved by other means (see, for example, jl Yj l 
and are not considered here. 

Many voting schemes meeting the above requirements have been proposed 
y)l,SI4l8tll2.'JI1 0| . However, all previously-known schemes achieving universal ver- 
ifiability rely on fully-homomorphic encryption schemes, where the homomor- 
phism is over additive group Z„ and n is larger than the number of voters (our 
use of the term “fully-homomorphic” is explained above). One typical paradigm 
is as follows: say voter i wishes to cast vote Vi, where, for a valid vote, we have 
Vi G {0, 1}. To vote, voter i publicly post^ £lpk(ui), the encryption of Vi under 
some public key established by the set of authorities. When everyone has voted, 
the authorities compute the product of the encryptions (which can be publicly 
computed) and decrypt the result; this gives the correct final tally since: 



^sk (^pk(^l ) ‘ ‘ ■ ^pki'^N )) — J- * * * J- , 



where equality holds by the homomorphic properties of the encryption scheme. 
Depending on the level of trust in the authorities, they may also provide a (pub- 
licly verifiable) proof that decryption was done correctly. In this way, everyone 
is assured that all votes were correctly counted. 

Many examples of fully-homomorphic encryption schemes are known (for ex- 
ample: umm)- The voting schemes of m are based on the r-th residuosity 
assumption, those of are based on the discrete logarithm assumption in 

prime groups, and the scheme of m is based on hardness of deciding residue 
classes in Z^ 2 . Even so, it is interesting to determine the minimal assumptions 
under which an efficient voting protocol can be constructed. 

We show how privacy and universal verifiability can be achieved without 
fully-homomorphic encryption. Our construction uses an n-bit counter which, in 
turn, is constructed from any encryption scheme homomorphic over Z 2 (i.e., the 

^ This might be accompanied by a proof of validity, but for simplicity we focus here 
on that portion of the protocol which relies on the homomorphic properties of the 
encryption. 
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Table 1. Efficiency of some voting schemes. L is the number of voters, M is the number 
of authorities, fci is a security parameter, and 2“*^^ is a bound on the probability of 
cheating (in |8lh| . the probability of cheating is 2“*^^). Computation is measured in 
bitwise operations, assuming multiplication of fc-bit numbers requires 0{k^) operations. 





Size of Vote -1- Proof 


Voter Computation 


Authority Computation 


IHI 


0{kiM) 


0{kfM) 


0{kfL) 


m 


C(fci) 


c(fc?) 


olkfL) 


Present work 


0 {kik 2 logL) 


0 {k'ik 2 logL) 


0{ki \ogL + L) 



1-bit XOR operation). Using as a specific example the well-studied encryption 
scheme based on the hardness of deciding quadratic residuosity m, we show 
how to achieve robustness as well. 

Often, basing a result on a weaker assumption results in an impractical 
scheme. However, our resulting voting scheme is efficient enough to be practical. 
A comparison of the efficiency of our construction with those of j8il) appears in 
Table 1. Our simplest solution, while being both size- and computation-efficient, 
requires sequential execution and hence 0{L) rounds (as compared with previ- 
ous solutions which require 0{1) rounds). We discuss ways of dealing with this 
issue in Sectional 

2 Definitions 

In this section we formalize the notion of a cryptographic counter. Although 
related notions have been folklore in the cryptographic community (particularly 
in the context of electronic voting), a formal definition has, to the best of our 
knowledge, not previously appeared. 

Counters. In order to more easily define a cryptographic counter, we first need 
a formal definition of a counter. 

Definition 1. An n-counter consists of a set S along with a pair of algorithms 
(D, T) in which: 

— S = {si, . . .} represents the set of states of the counter. 

— D, the decoding algorithm, is a deterministic algorithm which takes as input 
a state s G S and returns a number i G hn- This defines a mapping from 
states in S to numbers in the range [0, n — 1] . 

— T, the transition algorithm, is a probabilistic algorithm which takes as input 
a state s G S and an integer * S Z„ and returns a state s' G S. This function 
defines legal update operations on the counter. 

We require that for all s G S and i G Z„, if s' G- T(s,i), then D{s') = D{s) + 
i mod n. 

Note that subtraction of integer i can be done by simply computing the inverse 
of i in Z„ and adding —i using the transition algorithm. 
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Cryptographic Counters. We now turn to the definition of a cryptographic 
counter. We first define its components, and follow this with definitions of se- 
curity against two types of adversaries: honest-but-curious and malicious. All 
algorithms are assumed to run in time polynomial in the security parameter fc, 
and n is fixed independently of k. 

Definition 2. A cryptographic n-counter is a triple of algorithms (Q,D,T) in 
which: 

— Q , the key generation algorithm, is a probabilistic algorithm that on input 

outputs a public kcy/sccrct key pair fpk,skj and a string sq. The secret 
key, in turn, implicitly define^ an associated set of states Ssk- It is the case 
that sq € Ssk- 

— D, the decryption algorithm, is a deterministic algorithm that takes as input 
a secret key sk and a string s. If s € Ssk, then D outputs an integer i € Z„. 
Otherwise, D outputs _L. 

— T, the transition algorithm, is a probabilistic algorithm that takes as input 
the public key pk, a string s, and an integer * S Z„ and outputs a string s' . 

For any ( pk, skj output by define D' = D{sk, •) and T' = T{pk, •). Then 

we require that the set Ssk along with algorithms (D',T') define an n-counter. 
Furthermore, we require that D'{sq) = 0 (this represents initialization of the 
counter to 0). 

Security (Honest-but-Curious). We briefly describe the attack scenario 
before giving the formal definition. Adversary A is given the public key and the 
initial state sq- The adversary then output^ a sequence of integers ii,. . . ,i^ G 
Z„. The state is updated accordingly; that is, the transition algorithm T is run 
^ times, generating si, . . . , s^. All intermediate states are given to the adversary, 
who then outputs Xq,xi G Z„. A bit b is selected at random, and the counter 
is incremented by Xb to give state s*. The adversary, given s*, must then guess 
the value of b. 

Definition 3. We say that cryptographic n-counter (Q,D,T) is secure against 
honest-but-curious adversaries if, for all poly-time adversaries A, the following 
is negligible (in k): 





(pk,sk,so) ^ G{1^) 

(*i, ...,ii)'^ A(l'=,pfc, So) 

Si ^ T{pk, So, ii); . . . ; s^ T{pk, si-i,ii) 




Pr 


(a;o,a:i) ^ A(si,...,S£) : b' = b 

b ^ {0, 1} 

s* ^ T{pk,se,Xb) 

_ b' ^ A(s*) 


-1/2 



^ Note that membership in Ssk may not be efficiently decidable when given only pk. 

We require, however, that membership is efficiently decidable, given sk. 

® These integers may be chosen adaptively, but for simplicity we present the non- 
adaptive case here. Note that the construction of Section E3 achieves security against 
an adaptive adversary as well. 
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Security (Malicious). An honest-but-curious adversary is restricted to hav- 
ing the increment operations (which he must distinguish between) performed 
on a state distributed according to the output of the transition algorithm T. A 
malicious adversary, in contrast, is allowed to select the state to be incremented 
freely. In fact, we allow the adversary to select any string to be incremented 
by T; this allows us to deal with the case in which there is no efficient way to 
determine whether a string s is a valid state (i.e., whether s C Sgk)- 

Definition 4. We say that cryptographic n-counter (Q,D,T) is secure against 
malicious adversaries if, for all poly-time adversaries A, the following is negli- 
gible (in k): 





(pk,sk,so) ^ 

(s,xo,xi) <- A{W,pk,so) 




Pr 


6 ^{0,1} :b' = b 

s* ^ T(pk, s, Xb) 

_ b' ^ A(s*) 


-1/2 



Verifiable Counters. It may sometimes be useful to verify whether tran- 
sitions were indeed computed correctly. For example, when using a counter for 
voting, it should be publicly verifiable that each voter acted in a correct manner. 
We therefore define the notion of a verifiable cryptographic counter as follows: 

Definition 5. A verifiable cryptographic n-counter is a tuple {Q, D,T,V) such 
that: 

— (Q,D,T) is a cryptographic n-counter. 

— V , the verification algorithm, is a probabilistic algorithm satisfying complete- 
ness and soundness for all {pk, sk) output by Q , as follows: 

1. ( Completeness) For all s € Ssk, if s' ^ T{pk, s, i) for some i € then: 

V{pk, s, s') = 1. 

(Note that V does not require i as input.) 

2. (Soundness) For all s and all strings .s' such that for all i, .s' is not in 
the range of T{pk, s,i), the following probability is negligible (in k): 

Fr[V{pk, s, s') = 1]. 

Restricted Counters. DefinitionsQl 0 , andOmay be modified to allow for the 
possibility that although the counter can store values in update operations 
are restricted to some subset of Z„. We call counters with this property restricted. 
An illustrative example is a counter used in a voting scheme. Although the 
counter needs to be able to store values up to L (the number of voters), it may 
be required to restrict update operations to the set {0,1} (representing a yes/no 
vote). Modifications to the definitions are straightforward. 
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Additive Counters. The transition algorithms described above take an old 
state s and an integer i and output a new state s' which represents the old value 
incremented by i. However, definitions ^ and |2] may be modified such that the 
transition algorithm takes an old state s and a second state s' and then outputs a 
new state s" which represents the old value incremented by the value stored in s' . 
Such counters are termed additive. Note that additive cryptographic n-counters 
include the case of homomorphic encryption over Z„; yet, the former are more 
general since the transition algorithm need not be multiplication. Definitions 0 
and 0 can be modified for the case of additive counters in the natural way. 

3 Constructing Cryptographic Counters 

In Sections l.S.1 l a.ndm^ we describe the construction of a cryptographic n-counter 
based on any 1-bit additive cryptographic counter. We also discuss the extension 
to the case of verifiable cryptographic counters. In Section 18.41 using as a par- 
ticular example the encryption scheme based on quadratic residuosity m (see 
Appendix isi), which is homomorphic over Z 2 , we give an efficient construction 
of a verifiable cryptographic n-counter where update operations are restricted 
to {0, 1}. This provides a natural foundation for a voting protocol; we discuss 
this connection further in Section 0 

3.1 Linear Feedback Shift Registers 

Before presenting our main result, we provide an introduction to the theory of 
linear feedback shift registers; a more comprehensive treatment can be found 
in iwrai . Let ri,r 2 ,... G {0,1} be a sequence of elements (called registers) 
satisfying the fc-th order linear recurrence relation: 

Tj+fc = bkrj+k-i H k hrj, (1) 

where bi G {0,1} (throughout this section, addition is over the field Z 2 ). The 
sequence ri, r 2 , . . . is called a linear recurring sequence. Once the terms r\, . . . ,rf~ 
have been fixed, the rest of the sequence is uniquely determined. Define the j- 
th state of this sequence to be the vector {rj, . . . ,rj+k-i)- Equation (0) defines 
transitions between these states: given state s = (ri,...,rfe), the next state 
s' = {r'l, ... ,r'k) can be computed as follows: 

, _ J r*+i 1 < z < fc 

\f{ri,...,rk)i = k 

where the function / is given by m as: 

/(ri, . . . ,rfe) = bkrk H h &iri. 

This sequence of states defines a linear feedback shift register (LFSR) . For the 
present application, it is important to note that / can be computed using XOR 
operations only. 
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Since an LFSR has a finite set of states, the sequence of states eventually 
repeats. The number of states which appear before the first state repeats (and 
the sequence begins again) is called the period. Clearly, an LFSR with period n 
can be used to count from 0 to n — 1: choose an arbitrary initial state giving rise 
to a sequence of period n, label this initial state “0” , and label every succeeding 
state by one more than the label of its predecessor. 

It is possible to associate with every LFSR (whose underlying recurrence 
relation is given by Equation (^) the characteristic polynomial g{x) = — 

hkX^~^ — ■■■ — hi . The period of an LFSR is related to the order of its charac- 
teristic polynomial. In particular, if the characteristic polynomial of an LFSR is 
primitiv^ then the LFSR has maximum possible period 2^ — 1 (assuming the 
initial state of the LFSR is not the zero vector) [2(11 t)j . Primitive polynomials 
can be generated efficiently using a probabilistic algorithm m- It is thus pos- 
sible to efficiently construct an LFSR which counts from 0 to n — 1 using the 
minimum possible [log 2 n] registers (each representing a single bit). 

Given a state s of an LFSR (and assuming knowledge of the initial state), 
it is easy to decode the state and determine the number it represents by either 
counting down from s to the initial state, or counting up from the initial state 
until state s is reached. This requires time 0{n). This procedure is fast, however, 
even for large@ n, since each state transition consists of only simple, bitwise 
manipulations (shifts and XORs). More efficient approaches are mentioned in 
Section 



3.2 General Construction of a Cryptographic Counter 

Theorem 1. An additive cryptographic 2-counter secure against honest-hut- 
curious (resp. malicious) adversaries implies the existence of a cryptographic 
n-counter secure against honest-hut- curious (resp. malicious) adversaries, for 
all n of the form n = 2^ — 1. 

Sketch of Proof An encryption scheme homomorphic over (the additive 
group) 7j2 is an example of an additive cryptographic 2-counter secure against 
honest-but-curious adversaries. For ease of exposition, we describe the construc- 
tion of a cryptographic n-counter using an encryption scheme {Q,£,T>) which is 
homomorphic over Z 2 ; it should be clear, however, that a substantially-similar 
construction yields a cryptographic n-counter starting from any additive cryp- 
tographic 2-counter. 

We show how to use the encryption scheme as a building block to construct 
a cryptographic n-counter. First, note that an LFSR (as described in Section 
HID is an n-counter. The idea behind the construction is as follows: since only 
XOR operations are needed to effect transitions, the encryption scheme allows 

^ A polynomial g € Z^lx] of degree k is primitive if the smallest integer N for which 
g\{x^ - 1) is A = 2*= - 1. 

® For a typical voting scheme, n will be on the order of the number of voters. So, even 
for the U.S. election, we have n only (roughly) 10®. 
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a participant to change the counter without leaking any information about the 
transition. Below is a complete description of the protocol (here, I = [log 2 ri\): 

Key Generation Algorithm 

1. Run 5(1*) to generate public key pk^ and secret key sko- 

2. Generate a primitive polynomial g £ Z, 2 lx] of degree i using m- 

3. Set ri = £pfcg(l) and = Spfco(O), Spk^{0). 

4. Set sq = (ri,...,r^), sk = (sko,g), and pk = (pkQ,g). Output pk,sk, and 
So- 

Transition Algorithm [defined for i £ Z„] T{{pkQ, g), (ri, . . . , r^), i): 

1. Polynomial g defines (nonzero) /(ri , . . . ,rg) = birg + • • • + biVi (see Section 

EIH)- 

2. Repeat the following procedure i timeo 

(a) Set r{ = r 2 ; . . . ; = rt. 

(b) Setr^nliG^^ 

(c) Set ri = r[;...;n = r[. 

3. Set r[ = Ti- £pkg{Q), for 1 < f < £. Output s' = (r(, . . . , r^). 

Decryption Algorithm D{sk = (s/cqj g),s = (ri, . . . , r^)); 

1. Let r* = Vskoiri), for 1 < i < £. 

2. Let s* = 

3. Increment the LFSR defined by polynomial g, beginning with initial state 
(1, 0, . . . , 0), until reaching state s*. Let t be the number of transitions made. 
Output t. 

The protocol described above is a cryptographic n-counter secure against an 
honest-but-curious adversary. To see this, fix n. The size of the LFSR, £, is thus 
a constant (independent of the security parameter) . A simple hybrid argument 
shows that an adversary cannot distinguish between random representations of 
any two states of the counter. Therefore, an adversary cannot gain any infor- 
mation about the current value of the counter, nor about transitions made. We 
leave a formal proof to the full version of the paper. 

Note that if we start with a cryptographic 2-counter secure against malicious 
adversaries, the above construction is also secure against malicious adversaries. 
When using an arbitrary encryption scheme homomorphic over Z 2 , the above 
construction is secure against malicious adversaries if it can be efficiently deter- 
mined (given pk) whether a string represents a valid ciphertex10; in this case, 
the transition algorithm must first check whether every register in s represents 
a valid ciphertext before computing s' (if this is not true, it aborts). □ 

® This algorithm can be made significantly more efficient to run in time polynomial 
in logn. This is discussed briefly in Section O 
^ For example, in the case of encryption using quadratic residuosity, it is possible to 
tell whether a string G is a valid ciphertext by checking that the Jacobi symbol of 
C is 1. 
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In order to make the above construction verifiable, only a few changes are 
needed. First, we include a random string t in the public key. Additionally, we 
change the transition algorithm so that after s' has been output, we append a 
non-interactive zero-knowledge proof (NIZK) using random string r that the 
transition from s to s' was valid. The verification algorithm V runs the proof- 
verification algorithm for the NIZK proof. If the proof verification succeeds, the 
verification algorithm outputs 1; otherwise, it outputs 0. A verifiable, restricted 
n-counter can be constructed in a similar way. 

3.3 Observations on the Cryptographic Counter Construction 

Linear feedback shift registers have an algebraic interpretation: the state of an 
£-bit LFSR represents an element of GF*{2^). Incrementing the counter cor- 
responds to multiplication of the state by a generator, g, of the multiplicative 
group in GF*{2^). This allows for two important gains in efficiency, which are 
highlighted below. 

First, the counter may be efficiently updated by values larger than 1. In 
particular, the counter may be incremented by value i in only logi) steps, 
as opposed to the 0{£- i) steps used in the transition function of Section 

Next, note that the state of the LFSR can be viewed as an element of the 
form in GF*{2^). Therefore, one can use algorithms for solving the discrete 
logarithm problem to determine the value represented by the state of the LFSR,. 
In particular, it is relatively straightforward to determine the value of an f'-bit 
LFSR in time and an algorithm due to Coppersmith 0 allows decoding in 
time 

3.4 An Efficient Cryptographic Counter 

The well-known encryption scheme based on quadratic residuosity m (see Ap- 
pendix El) is homomorphic over Z 2 . Application of Theorem 0 (see also foot- 
note 7) shows that the construction outlined there results in a cryptographic 
counter secure against malicious adversaries when instantiated with this encryp- 
tion scheme. If we are interested in verifiability, however, the generic construction 
of Section rr^ will be impractical unless there exists an efficient NIZK proof that 
the transition algorithm was executed correctly. In the case of quadratic resid- 
uosity, we show that efficient NIZK proofs are possible. Since we are interested 
in eventual applications to electronic voting, we focus on the case of a restricted 
counter where transitions are limited to either no change in the counter (a 0 
vote) or incrementing the counter by 1 (a 1 vote). 

Consider the cryptographic counter protocol of Section instantiated with 
encryption based on quadratic residues. Let A be a Blum integer which is part 
of the associated public key. The string s = (ri,...,r^) (with G ^v^) is a 
cryptographic representation of some state of the LFSR, but this underlying 
state cannot be determined unless one knows the secret key. However, following 
a transition to s' = (r(^, . . . , r'f), there are two possibilities: either 

QTlN{ri) = Q7?.Ar(rj),for 1 <i < £, 
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Fig. 1. Proof of validity for a counter transition. 



which represents a 0 vote, or 

i 

QnN{rr) = Q7^Jv(r^+l),for 1 < * < ^ and Q7^Jv(r^) = QnN([{r\'), (3) 

i=l 

(with bi as defined in Section fOt . which represents a 1 vote. We seek an NIZK 
proof that either condition 0 or condition m holds. Note that these conditions 
are equivalent to the following: either 

QTlN{r'i ■ ri) = 0, for 1 < f (4) 

or else 

e. 

QTZN{r'i ■ Ti+i) = 0,for 1 < i < i and QR-Nir'i ■ = 0. (5) 

i=l 

Therefore, an NIZK proof that one of & or 0 holds is sufficient. 

In Figure E we describe a protocol which takes as input two sequences 
Xi, . . . , Xi and Fi, . . . , Y^, and proves the following statement: 

((Q7^^(Xl)=0) A • • • A {QnN{Xi)=0)) V ((Q7^^(rl)=0) A • • • A (Q7ejv(F^)=0)). 

( 6 ) 

By the arguments of the previous paragraph, this is sufficient for our application. 
The prover knows the square roots of every element of at least one of these 
sequence^ (for someone who honestly increments the counter by either 0 or 1, 

® Without loss of generality, we assume the prover knows the square roots for the 
first input sequence; thus, in Figure Q we assume the prover knows {xi} such that 
= Xi, for 1 < i < ^. 
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this will be the case); these are the witnesses that these elements are quadratic 
residues. 

By repeating this protocol /c 2 times, the probability of cheating is reduced to 
2 ~fc 2 ^ This protocol can be made non-interactive using the Fiat-Shamir heuristic 
m, by which the challenge of the verifier is replaced by applying a hash function 
(viewed as a random oracle Q) to the statement to be proved and the first 
message of the prover. Let 'H be a suitable hash function. The prover need only 
send Zi, Si, . . . , ze, s^, 6', b as his proof. The verifier can compute = zfX^ and 
Ui = sfY^ and then verify whether b' (B b = Yi, ti, ui, . . . , m). 

Theorem 2. Take the cryptographic counter as described in Theorem^ instan- 
tiated with encryption based on quadratic residuosity. An update of the counter 
now includes a non-inter active proof (as outlined in Figure^ and using the Fiat- 
Shamir heuristic) for statement This then constitutes a verifiable, restricted 
cryptographic n-counter (for all n of the form n = 2^ — 1) which is secure against 
malicious adversaries. 

Sketch of Proof The protocol given in Figure lU constitutes an honest- verifier 
perfect zero knowledge proof with soundness probability 1/2. The proof of this 
fact follows from techniques outlined in HH; we refer the reader there for discus- 
sion and a complete proof. Repeating the proof /c 2 times (non-interactively, using 
the Fiat-Shamir heuristic) reduces the probability of cheating to 2“^^, and is a 
non-interactive zero-knowledge proof (in the random oracle model) . The counter 
is thus restricted in that updates are limited to adding an integer from {0, 1}, 
and verifiable in that updates can be publicly verified as being in this range. 

The security of the construction against a malicious adversary follows from 
Theorem n and the zero-knowledge properties of the above protocol. □ 



3.5 Distributed Decryption of the Counter 

We mention that robustness with respect to the trusted authorities can be 
achieved via distributed generation of the secret key along with threshold decryp- 
tion of the final counter (which can always be achieved via general multi-party 
techniques m)- For the particular case when encryption is done using quadratic 
residuosity, we are able to achieve efficient distributed key generation and thresh- 
old decryption m As this is not the focus of this work, we defer a complete 
discussion until the full version of the paper. 

4 Voting with Cryptographic Counters 

We briefly discuss the application of cryptographic counters to the problem of 
electronic voting. The discussion will be kept as general as possible. For efficient 
implementation, we have outlined above how it is possible to build an efficient 
scheme using the encryption scheme based on quadratic residuosity. 

We follow the model introduced by Benaloh, et al. The parties partic- 

ipating in the election consist of a set of voters Vi, . . . ,Vl and a set of authorities 
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^ 1 , . . . , Am, which need not be disjoint. We assume that everyone has access to 
a bulletin board to which all voters will post their messages. Messages are au- 
thenticated, and the identity of a sender cannot be forged, nor can messages to 
the bulletin board be tampered with. Messages are listed in order of arrival (or, 
equivalently, every message includes the time it was sent), and no one can erase 
anything from the bulletin board once posted. Note that we do not assume any 
private channels between voters and the authorities. We now give a high-level 
description of a voting protocol based on a restricted cryptographic counter; this 
proves the following theorem: 

Theorem 3. A voting scheme satisfying universal verifiability, privacy, and ro- 
bustness can be efficiently constructed from any (robust) verifiable, restricted 
cryptographic counter secure against malicious adversaries (where votes are re- 
stricted to the set {0,1}/ 

Sketch of Proof We describe the voting protocol assuming the existence of a 
verifiable, restricted cryptographic n-counter (where votes are restricted to the 
set {0, 1}) secure against malicious adversaries. Robustness (with respect to the 
authorities) follows if the counter itself is robust (as described in Section rT31l . 

System Setup. The authorities run the key generation algorithm for the cryp- 
tographic n-counter. Here, n is chosen to be equal to the total number of voters 
(or an upper bound on the number of voters if the exact number is unknown) . If 
robustness is desired, and/or if some voters are also authorities, the key genera- 
tion may be done in a robust manner as outlined in Section 13.51 The public key 
pk and the initial state Sq are announced to all voters. The key generation step 
may be the most expensive part of the entire protocol, but it is only a one-time 
operation which can be done months before the election takes place. 

Voting. The counter always holds the current vote total. The current counter 
value is always defined as the most recently posted (valid) counter value. Denote 
the counter after the i^^ vote by Si. The {i -\- 1)'^*' vote is cast as follows: a voter 
looks at the current counter and computes new state Si+i using the transition 
function, the previous state Sj, the desired vote v € {0, 1}, and the public key 
pk. The voter publishes this updated state which then becomes the current 
state (since it is the most recently posted counter). This proceeds for L rounds 
until every voter has voted once (see Section 0 for ways to reduce the number of 
rounds) . 

Universal verifiability (and hence vote correctness) follows from verifiability 
of the counter, and voter privacy follows from the definition of security against 
a malicious adversary. Robustness with respect to the authorities follows from 
the (robust) distributed key generation and decryption. 

Tallying. When the election is complete, the authorities determine the final 
tally by decrypting the last (valid) counter. If there is more than one trusted 
authority, threshold decryption (see Section t3.5ll will be necessary. It may also 
be desirable to have the authorities prove correctness of the decryption; note 
that it is not acceptable to just publish the secret key, since this would allow 
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determination of every voter’s vote retroactively. In the particular case where 
encryption is done via quadratic residues, the authorities can easily prove that 
decryption was done correctly by publishing an x for each encrypted value y 
such that y = ±x‘^. □ 



5 Conclusion 

For small-scale elections, the voting scheme outlined here (when based on the 
encryption scheme using quadratic residuosity) is efficient enough to be practical 
(cf. Table 1). The required computation and vote size are quite reasonable. One 
drawback to this scheme is the number of rounds required for voting to take place. 
When a single cryptographic counter is used, the number of rounds is equal to 
the number of voters, L. However, by using k cryptographic counters, assigning 
each voter to one of k groups, and allowing voting to take place in parallel, the 
number of rounds can be reduced to L/k. Even in a national election, such an 
approach may be acceptable; for example, by assigning a set of counters to each 
voting district. 

From a theoretical point of view, the approach outlined in this paper is 
especially interesting since it was previously unclear whether voting could be 
done efficiently without using fully-homomorphic encryption. 
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A The Quadratic Residuosity Assumption 

These dehnitions are standard [Itll Ij . We say y € is a quadratic residue modulo 
N iff there exists an x G such that y = mod N ; otherwise, t/ is a quadratic non- 
residue modulo N . Define the predicate QTZi^(y) to be 0 iff i/ is a quadratic residue 
modulo N , and 1 otherwise. For p prime, the problem of deciding quadratic residuosity 
is equivalent to computing the Legendre symbol. In fact, the Legendre symbol of y 
modulo p is defined by Cp{y) = -1-1 iff j/ is a quadratic residue, and —1 otherwise. 

Now, let p,q = 3 mod 4 be primes and let N = pq (such N are known as Blum 
integers). No efficient algorithm is known for deciding quadratic residuosity modulo 
a Blum integer whose factorization is not known. Some information is given by the 
Jacobi symbol, which extends the Legendre symbol as J7iv(j/) = Cp(y)Cq(y). Despite 
the way the Jacobi symbol is defined, it is well-known that it can be computed in 
polynomial time without knowledge of the factors of N . Application of the Chinese 
Remainder Theorem shows that if Uniy) = — 1, then y cannot be a quadratic residue 
modulo N . On the other hand, if UN{y) ~ +1, no polynomial-time algorithm is known 
for computing QTZi\r{y) if the factorization of N is unknown. 

Define Z)()^ as the set of elements of with Jacobi symbol 1. It is easy to generate 
a random y G which is a quadratic residue: choose random r G and set 
y = r^ mod N. It is equally easy to generate a random quadratic non-residue: choose 
random r G 2% and set y = —r^ mod N. This suggests the following semantically 
secure encryption scheme II til : the public key is a Blum integer N, and the secret key 
is the prime factors of N. To encrypt a 0, send a random quadratic residue; to encrypt 
a 1, send a random quadratic non-residue. This can be extended to n-bit messages in 
the obvious way, by concatenating n single-bit encryptions. 

When yi,t /2 G Z+\ it is easily verified that QTZN[yiy 2 ) = QR-Niyi) 0 S77-iv(y2). 
This shows that the above encryption scheme is homomorphic over addition in its 
message space Z 2 . 
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Abstract. A credential system is a system in which users can obtain 
credentials from organizations and demonstrate possession of these cre- 
dentials. Such a system is anonymous when transactions carried out by 
the same user cannot be linked. An anonymous credential system is of 
significant practical relevance because it is the best means of provid- 
ing privacy for users. In this paper we propose a practical anonymous 
credential system that is based on the strong RSA assumption and the 
decisional DifBe-Hellman assumption modulo a safe prime product and 
is considerably snperior to existing ones: (1) We give the first practical 
solution that allows a user to unlinkably demonstrate possession of a 
credential as many times as necessary without involving the issuing or- 
ganization. (2) To prevent misuse of anonymity, our scheme is the first 
to offer optional anonymity revocation for particular transactions. (3) 
Our scheme offers separability: all organizations can choose their cryp- 
tographic keys independently of each other. Moreover, we suggest more 
effective means of preventing users from sharing their credentials, by in- 
troducing all-or-nothing sharing: a user who allows a friend to use one 
of her credentials once, gives him the ability to use all of her credentials, 
i.e., taking over her identity. This is implemented by a new primitive, 
called circular encryption, which is of independent interest, and can be 
realized from any semantically secure cryptosystem in the random oracle 
model. 
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1 Introduction 



As information becomes increasingly accessible, protecting the privacy of indi- 
viduals becomes a more challenging task. To solve this problem, an application 
that allows the individual to control the dissemination of personal information 
is needed. An anonymous credential system (also called pseudonym system), in- 
troduced by Chaum P3|, is the best known idea for such a system. In this paper, 
we propose a new efficient anonymous credential system, considerably superior 
to previously proposed ones. The communication and computation costs of our 
solution are small, thus introducing almost no overhead to realizing privacy in 
a credential system. 

An anonymous credential system consists of users and orga- 

nizations. Organizations know the users only by pseudonyms. Different pseudo- 
nyms of the same user cannot be linked. Yet, an organization can issue a cre- 
dential to a pseudonym, and the corresponding user can prove possession of this 
credential to another organization (who knows her by a different pseudonym), 
without revealing anything more than the fact that she owns such a credential. 
Credentials can be for unlimited use (these are called multiple- show credentials) 
and for one-time use (these are called one-show credentials). Possession of a 
multi-show credential can be demonstrated an arbitrary number of times; these 
demonstrations cannot be linked to each other. 



Basic desirable properties. It should be impossible to forge a credential for 
a user, even if users and other organizations team up and launch an adaptive 
attack on the organization. Each pseudonym and credential must belong to some 
well-defined user m- In particular, it should not be possible for different users 
to team up and show some of their credentials to an organization and obtain a 
credential for one of them that that user alone would not have gotten. Systems 
where this is not possible are said to have consistency of credentials. As orga- 
nizations are autonomous entities, it is desirable that they be separable, i.e., be 
able to choose their keys themselves and independently of other entities, so as 
to ensure security of these keys and facilitate the system’s key management. 

The scheme should also provide user privacy. An organization cannot find 
out anything about a user, apart from the fact of the user’s ownership of some 
set of credentials, even if it cooperates with other organizations. In particular, 
two pseudonyms belonging to the same user cannot be linked |(Sll8ll9l21l25ld4) . 

Finally, it is desirable that the system be efficient. Besides requiring that it be 
based on efficient protocols, we also require that each interaction involve as few 
entities as possible, and the rounds and amount of communication be minimal. 
In particular, if a user has a multiple-show credential from some organization, 
she ought to be able to demonstrate it without getting the organization to reis- 
sue credentials each time. 



Additional desirable properties. It is an important additional requirement 
that the users should be discouraged from sharing their pseudonyms and creden- 
tials with other users. The previously known way of discouraging the user from 
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doing this was by PKI-assured non- transferability. That is, sharing a credential 
implies also sharing a particular, valuable secret key from outside the system 
(e.g., the secret key that gives access to the user’s bank account) | |2()ld2ld4| . 
However, such a valuable key does not always exist. Thus we introduce an al- 
ternative, novel way of achieving this: all-or-nothing non-transferability. Here, 
sharing just one pseudonym or credential implies sharing all of the user’s other 
credentials and pseudonyms in the system, i.e., sharing all of the user’s secret 
keys inside the system. These two methods of guaranteeing non-transferability 
are different: neither implies the other, and both are desirable and can in fact 
be combined. 

In addition, it may be desirable to have a mechanism for discovering the iden- 
tity of a user whose transactions are illegal (this feature, called global anonymity 
revocation, is optional); or reveal a user’s pseudonym with an issuing organiza- 
tion in case the user misuses her credential (this feature, called local anonymity 
revocation, is also optional). It can also be beneficial to allow one-show creden- 
tials, i.e., credentials that should only be usable once and should incorporate an 
off-line double-spending test. It should be possible to encode attributes, such as 
expiration dates, into a credential. 



Related work. The scenario with multiple users who, while remaining anony- 
mous to the organizations, manage to transfer credentials from one organization 
to another, was first introduced by Chaum m- Subsequently, Chaum and Ev- 
ert se m proposed a solution that is based on the existence of a semi-trusted 
third party who is involved in all transactions. However, the involvement of a 
semi-trusted third party is undesirable. 

The scheme later proposed by Damgard ps] employs general complexity- 
theoretic primitives (one-way functions and zero-knowledge proofs) and is there- 
fore not applicable for practical use. Moreover, it does not protect organizations 
against colluding users. The scheme proposed by Chen is based on discrete- 
logarithm-based blind signatures. It is efficient but does not address the prob- 
lem of colluding users. Another drawback of her scheme and the other practical 
schemes previously proposed is that to use a credential several times, a user 
needs to obtain several signatures from the issuing organization. 

Lysyanskaya, Rivest, Sahai, and Wolf PH propose a general credential sys- 
tem. While their general solution captures many of the desirable properties, it 
is not usable in practice because their constructions are based on one-way func- 
tions and general zero-knowledge proofs. Their practical construction, based on 
a non-standard discrete-logarithm-based assumption, has the same problem as 
the one due to Chen a user needs to obtain several signatures from the 
issuing organization in order to use unlinkably a credential several times. 

Other related work is that of Brands |S| who provides a certificate system in 
which a user has control over what is known about the attributes of a pseudonym. 
Although a credential system with one-show credentials can be inferred from 
his framework, obtaining a credential system with multi-show credentials is not 
immediate and may in fact be impossible in practice. Another inconvenience of 
these and the other discrete-logarithm-based schemes mentioned above is that 
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all the users and the certification authorities in these schemes need to share the 
same discrete logarithm group. 

The concept of revocable anonymity is found in electronic payment systems 
(e.g., HHZI) and group signature and identity escrow (e.g., [21141201,^ schemes. 

Prior to our work, the problem of constructing a practical system with 
multiple-use credentials eluded researchers for some time I8l2ll25l34l . We solve 
it by extending ideas found in the constructions of strong-RSA-based signature 
schemes 11231301 and group signature schemes |^. 



Our contribution. In Section El we present our definitions for a credential 
system with the basic properties. Although not conceptually new and inspired 
by the literature on multi-party computation im and reactive systems 
these definitions are of interest, as our treatment is more formal than the one usu- 
ally encountered in the literature on credential and electronic cash systems. We 
omit formal definitions for a credential system satisfying the additional desirable 
properties and instead refer the reader to the full version of this paper Eg. 

Our basic credential system, presented in Section provably satisfies the 
basic properties listed above under the strong RSA assumption and the decisional 
Difhe-Hellman assumption modulo a strong prime product. Our basic solution is 
practical. When using an RSA modulus n of 1024 bits, a credential-pseudonym 
pair is about 4K bits, and the most expensive operation of proving possession 
of a credential requires about 22 exponentiations in Z* for both parties and can 
be done in three rounds. 

Our extended credential system, presented in Sections 0and0 describes how 
to incorporate additional desirable properties into the basic credential system. 
These are also efficient, except the one with all-or-nothing non-transferability: 
when using RSA moduli of length 1024 bits, establishing a pseudonym is some- 
what less efficient: it takes about 200 exponentiations in Z* for both parties, but 
batch-verification techniques ^ could be applied to reduce this, and organiza- 
tions have to store about 25K bits per user (here computation complexity could 
be traded against storage). 

All-or-nothing non-transferability is based on a new primitive we call circular 
encryption, discussed in Section Ki. It we implement this primitive in the random 
oracle model; it is a challenging open problem whether this primitive can be 
realized outside the random oracle model. 

This work is the first to introduce one-show credentials with an off-line 
double-spending test, similar to known e-cash schemes (in fact, our one-show 
credentials can be used as anonymous coins). These one-show credentials are 
described in Section rm More precisely, our double-spending test mechanism 
together with the all-or-nothing property ensures that, if a user presents such a 
credential more than once, then the verifying entity gets the ability to demon- 
strate possession of all the pseudonyms and credentials of that user — a strong 
incentive to users not to double-spend. From a technical point of view, it might 
be interesting that the anonymity of our one-show credentials is not obtained by 
blind signatures but by an alternative mechanism. 
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Another innovation of this work is the possibility of anonymity revocation, 
described in Section o We stress that this feature is entirely optional. More- 
over, for each transaction, the user has the freedom of specifying under which 
conditions the anonymity can be revoked (maybe subject to conditions of the 
other parties involved in the transaction). The user may also choose uncondi- 
tional anonymity, and then his identity will not be retrievable under any circum- 
stances. Yet another innovation is separability for organizations. 

2 Formal Definitions and Requirements 

A basic credential system has users, organizations, and verifiers as types of play- 
ers. Users are entities that receive credentials. The set of users in the system may 
grow over time. Organizations are entities that grant and verify the credentials 
of the users. Each organization grants a unique (for simplicity of exposition) type 
of credential. Finally, verifiers are entities that verify credentials of the users. 

Variations of such a system allow a single organization to issue different types 
of credentials. For the purposes of non-transferability, we can add a CA to the 
model who verifies that the users entering the system possess an external public 
and secret key. This CA will be trusted to do his job properly. For PKI-assured 
non-transferability, this will make sure that access to a user’s pseudonym or 
credential is sufficient to obtain this user’s secret key from an external PKI. 
For all-or-nothing non-transferability, this will make sure that access to one 
pseudonym or credential of a user is sufficient to obtain access to all of them. 
To allow revocable anonymity, an anonymity revocation manager can be added. 
This entity will be trusted not to use his ability to find out a user’s identity or 
pseudonym unless dictated to do so. As the trusted parties perform tasks that 
are not required frequently, these parties can be implemented in a distributed 
fashion to weaken the trust assumptions. Finally, a credential may include an 
attribute, such as an expiration date. These variations are simple to handle in 
the model; for simplicity of exposition of the model, however, we do not discuss 
them here. The extended solution we propose already incorporates some of them, 
and can be easily adapted to incorporate others. 

We first give a specification for an ideal credential system that relies on 
a trusted party T as an intermediator; we then explain what it means for a 
cryptographic system to conform to this specification. 

Initialization: To initialize the system, the organizations create a public file 
which, for each organization O, describes the type of credential that the or- 
ganization grants. 

Ideal communication: All communication is routed through T. If the sender of a 
message wishes to be anonymous, he requests T not to reveal his identity to the 
recipient. Also, a sender of a message may request that a session be established 
between him and the recipient. This session then gets a session id sid. 

Events in the system: Each transaction between players is an event in the sys- 
tem. Events in the system can be triggered through external processes, some of 
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which may be controlled by an adversary. An external process can trigger some 
particular event between a particular user and organization; or may trigger a set 
of events; or may cause some probability distribution on the events. 

Input of the players: The players are interactive Turing machines. Initially, they 
have no input; then as transactions are triggered, they obtain inputs and act 
accordingly. 

Output of the players: In the end of the system’s lifetime, each user outputs a 
list of the transactions she participated in, complete with the pseudonym used 
in each transaction, session ids of the transactions, and transaction outcomes. 
Organizations and verifiers output a list of transaction identifiers for transactions 
in which they participated, the pseudonym involved (in case of organizations), 
and the outcome of the transaction. 

The system supports the following transactions: 

FormNym(C/, O): This protocol is a session between a user U and an organization 
O. The user U contacts T with a request to establish a pseudonym between 
herself and organization O. She further specifies the login name Ljj by which 
T knows her and the corresponding authenticating key Ku. If she does not 
have an account with T yet, she first establishes it by providing to T a login 
name Ljj and obtaining Kjj in return. She further specifies N\. Then T verifies 
the validity of {Lu,Ku) and, if Kjj is the authenticating key corresponding 
to login name Ljj, contacts O and tells it that some user wants to establish a 
pseudonym with it with prefix A^i. The organization either accepts or rejects. 
If it accepts, it sends a pseudonym suffix N 2 , so the pseudonym becomes 
^(u,0) ■= -^iH -^2 ( II denotes concatenation). T forwards the resulting N/^uo) 
to U in case of acceptance, or notifies U of rejection. 

GrantCred(A^, O): This protocol is a session between a user U and an organization 
O. U approaches T, and submits her login name Ljj, her authenticating key 
Ku, the pseudonym N, and the name of organization O. If Ku is not a valid 
authenticating key for Lu, or if N is not f7’s pseudonym with O, then T replies 
with a “Fail” message. Otherwise, T contacts O. If O accepts, then T notifies 
the user that a credential has been granted, otherwise it replies with “Reject.” 
VerifyCred(y, N, O): This protocol is a session between a user U and a verifier V. 
A user approaches T and gives it her login Lu, her authenticating key Ku, a 
name of the verifier V , a pseudonym N and a name of a credential-granting 
organization O. If Ku is a valid authenticating key for Lu, and N is f7’s 
pseudonym with organization O, and a credential has been granted by O to 
N , then T notifies V that the user talking to V in the current session sid has 
a credential from O. Otherwise, T replies with a “Fail” message. 
VerifyCredOnNym(V, Ny, Nq, O): This protocol is a session between a user U and 
an verifier V. U approaches T and gives it her login name Lu, her authen- 
ticating key Ku, a name of the verifier V, pseudonyms Ny and Nq, and a 
name of a credential-granting organization O. If Ku is a valid authenticating 
key for Lu, and Ny is U's pseudonym with V while Nq is U’s pseudonym 
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with organization O, and a credential has been granted by O to Nq, then T 
notifies V that the user with pseudonym Ny has a credential from O. 

This ideal system captures the intuitive requirements, such as unforgeability 
of credentials, anonymity of users, unlinkability of credential showings, and con- 
sistency of credentials. Ideal operations that allow additional desirable features 
can be implemented as well. 

Let us briefiy illustrate the use of the credential system by a typical ex- 
ample. Consider a user U who wants to get a credential from organization O. 
Organization O requires the possession of credentials from organizations Oi and 
O2 as a prerequisite to get a credential from O. Assume that U possesses such 
credentials. Then U can get a credential from O as follows: she first establishes 
a pseudonym with O by executing FormNym(C/, O) and then shows O her cre- 
dentials from Oi and O2 be executing VerifyCred0nNym(O, fVo, , C*i) and 
VerifyCred0nNym(O, fV(3, fVoa 7 O2). Now O knows that the user it knows under 
No possesses credentials from Oi and O2 and will grant U a credential, i.e.,U can 
execute GrantCred(fVo 7 O). We remark that the operation VerifyCred(V, N, O) ex- 
ists for efficiency reasons. This operation can be used by U if she wants to show 
a party only a single credential, e.g., to access a subscription-based service. 



The ideal-world (resp., real-world) adversary. The ideal-world (resp., real-world) 
adversary is a probabilistic polynomial-time machine that gets control over the 
corrupted parties in the ideal world (resp., real world). He receives, as input, the 
number of honest users and organizations, as well as all the public information 
of the system. The adversary can trigger an event as described above. 

Definition 1. Let the ideal credential system described above be denoted ICS. 
Let a cryptographic credential system without T be denoted CCS. Let V = 
poly(fc) be the number of players in the system with security parameter k. By 
ICS{l'^,E) (resp., CCS{ 1 ^ ,E)) we denote a credential system with security pa- 
rameter k and event scheduler E for the events that take place in this system. As 
events are scheduled adversarially, E schedules them according to the adversary’s 
wishes, therefore we will write E^ . By Zi(l^), we denote the output of party i in 
the credential system. If {Hi(l^), . . . , Ay(l*)} is a list of the players’ outputs, 
then we denote these players’ outputs by {Ai(l^), . . . , when all 

of them, together, exist within a credential system CS. CCS is secure if there 
exists a simulator S (ideal-world adversary) such that the following holds, for all 
interactive probabilistic polynomial-time machines A (real-world adversary) , for 
all sufficiently large k: 

1 . In the ICS, S controls the ideal-world players corresponding to the real-world 
players controlled by A. 

2 . For all event schedulers E^ 



where S is given black-box access to A. (“Di{l^) « £>2(1*)” denotes computa- 
tional indistinguishability of the distributions D\ and D2.) 
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3 Protocol Notation 

By neg(fc) we denote any function that vanishes faster than any inverse polyno- 
mial in k. By poly(fc) we denote a function bounded by a polynomial in k. 

In the description of our scheme, we use the notation introduced by Ca- 
menisch and Stadler^JI for various proofs of knowledge of discrete logarithms 
and proofs of the validity of statements about discrete logarithms. For instance, 

PK{{a, : y = g°^h^ A y = A (m < a < r;)} 

denotes a ^^zero-knowledge Proof of Y^nowledge of integers a, P, and 7 such that 
y = and y = g^^hP holds, where v < a < uf where y,g, h,y,g, and h are 

elements of some groups G = (g) = (h) and G = (g) = (h). The convention 
is that Greek letters denote quantities the knowledge of which is being proved, 
while all other parameters are known to the verifier. Using this notation, a proof- 
protocol can be described by just pointing out its aim while hiding all details. 

In the random oracle model, such protocols can be turned into signature 
schemes using the Fiat-Shamir heuristic m- We use the notation SPK{{a) : 
y = g°‘}(m) to denote a signature obtained in this way. 

It is important that we use protocols that are concurrent zero-knowledge. 
They are characterized by remaining zero-knowledge even if several instances 
of the same protocol are run arbitrarily interleaved. In the public key model, 
Damgard m shows a general technique for making the so-called U-protocols 
(these include all the proofs of knowledge used here) composable under con- 
current composition without incurring a penalty in communication or round 
complexity. All the proofs of knowledge we use in this paper incorporate this 
technique. 

In this paper we apply such PR’s and SPK's to the group of quadratic 
residues modulo a composite n, i.e., G = QRn- This choice for the underlying 
group has some consequences. First, the protocols are proofs of knowledge under 
the strong RSA assumption m- Second, the largest possible value of the chal- 
lenge c must be smaller that the smallest factor of G’s order. Third, soundness 
needs special attention in the case that the verifier is not equipped with the fac- 
torization of n because then deciding membership in QRn is believed to be hard. 
Thus the prover needs to convince the verifier that the elements he presents are 
indeed quadratic residues, i.e., that the square roots of the presented elements 
exist. This can in principle be done with a protocol by Fiat and Shamir I2HI 
However, often it is sufficient to simply execute PK{{a) : y^ = (g^)“} instead of 
PK{{a) : y = g°‘}. The quantity a is defined as logg2 y^, which is the same as 
logg y in case y is in QRn ■ 

For the an explanation of how the PR’s used in the paper can be realized 
efficiently, we refer to the full version of this paper !E|. 

4 The Basic Anonymous Credential System 

The basic system comprises protocols for a user to join the system, register with 
an organization, obtain multi-show credentials, and show such credentials. 
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Throughout we assume that the users and organizations are connected by 
perfectly anonymous channels. Furthermore, we assume that for each protocol 
an organization authenticates itself to the user and that they establish a secure 
channel between them for each session. For any protocol we describe, we implic- 
itly assume that if some check or sub-protocol (e.g., some proof of knowledge 
PK) fails for some party, it informs the other participants of this and stops. 



4.1 High-Level Description 

In our system, each organization O will have, in its public key PKq, an RSA 
modulus no, and five elements of QRno- {ciO,bo,do,go,ho)- Each user U will 
have her own master secret key xjj. A pseudonym of user U with organization O, 
denoted N(jj^o)i is just a name by which the user is known to the organization, 
and consists of a user-generated part and an organization-generated part 
A^ 2 - The pseudonym N(ij^o) = -^i ||-^2 will be tagged with a value P(u,o)- This 
validating tag is of the form P{jj,o) = where S(^u,0) is a short random 

string to which the user and organization contribute randomness, but of which 
only the user knows its value. An appropriate choice of parameters for the length 
of Xjj and S(( 7 ,o) ensures that the resulting P(u^o) is statistically independent of 
the user’s key xjj and of any other validating tags formed by the same user with 
other organizations. 

A credential issued by O to a pseudonym Njjj^q) is a tuple {e-(jj^o),C(u,0)) 
where e.(jj^o) is a sufficiently long prime and = P{u, 0 )do- Under the 

strong RSA assumption, such tuples cannot be existentially forged for correctly 
formed tags even by an adaptive attack (Theorem E) • 

To protect the user’s privacy in our system, proof of possession of a creden- 
tial is realized by a proof of knowledge of a correctly formed tag P{u,o) and a 
credential on it. This is done by publishing statistically secure commitments to 
both the validating tag and the credential, and proving relationships between 
these commitments. It can also include a proof that the underlying secret key is 
the same in both the committed validating tag (corresponding to the pseudonym 
formed with the issuing organization) and the validating tag with the verifying 
organization. This ensures consistency of credentials, e.g., guarantees that even 
users that fully trust each other cannot pool their credentials. 



4.2 System Parameter and Key Generation 

We name some common system parameters: the length of all the RSA moduli £n, 
the integer intervals T = ] - 2^ , 2^ [, /i = ] _ 2^^ , 2^^ [, A = ]2^^ , 2^^+^^ [ such 
that = e{£A+£n) + ^, where e > 1 is a security parameter, and £a > £e+£a+^- 
Each organization Oj chooses random £„/2-bit primes p'q ^q'q^ such that 
pOi = ‘2p'o- + 1 and qOi = ‘^q'o + 1 are prime and sets modulus no^ = POiQOf E 
also chooses random elements aOi,boi, doi, go,, hoi G QRno ■ E stores SKoi ■= 
(P0i,g0i) as its secret key and publishes PKo^ ■= {nOi,o.Oi,bOi,doi,gOi,hoi) 
as its public key. In the public-key model, we assume that there is a special 
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entity that verifies, through a zero-knowledge protocol with Oi, that no^ is the 
product of two safe primes (see m for how this can be done efficiently) and 
that the elements oo, , bo^ , do^ , gOi > hoi are indeed in QRno . (see, for example, 
Goldwasser et al. ED- Alternatively, this can be carried out in the random 
oracle model using the Fiat-Shamir heuristic m The parameter £a should be 
chosen such that computing discrete logarithms in QRno. with £yi-bits exponents 
is hard. 



4.3 Generation of a Pseudonym 

We now describe how a user U establishes a pseudonym N(jj^o) and its validating 
tag P{u,0) with organization O. Let xjj & R he C/’s master secret. The proto- 
col below assures that the pseudonym’s validating tag is of the right form, i.e., 
P{u,0) = o!^bo^'°\ with Xu & r and S(^u,0) G A. The value S(^u,0) is chosen 
jointly by O and U without O learning anything about either xu or su,o- Note 
that this protocol does not force U to use the same xu as with other organiza- 
tions; this is taken care of later in Protocol 

Protocol 1 

1. U chooses a value Ni € {0, 1}^, and values ri A and r 2 ,r^ Gr {0, 1}^^”. 
U sets Cl := g^pQ, '■= g^hQ. U sends Ni, Ci, and C 2 to O. 

2. To prove that Ci and C 2 are formed correctly, U serves as the prover to 
verifier O in 

PK{{a,!3n,5):Cl = {glr{hlY A Cl = {glV{hlY} . 

3. O chooses a random r Gr A and a value N 2 and sends r, N 2 to U . 

4-- U sets her pseudonym N{u,o) ■= Ni|| A 2 . U computes S(u,0) = {ti + r mod 
( 2 ^a-i-i _ (s(u,0) is the sum of r\ and r, adjusted appropriately 

so as to fall in the interval A). U then sets her validating tag P(u,0) •= 
sends P{u,o) to O. 

5. Now, U must show that P{u,0) was formed correctly. To that end, she com- 
putes s = J (s is the value of the carry resulting from the compu- 

tation of S(^u,0) above) and chooses V 4 Gr {0,1}^", sets C 3 := gobdo ’ 
sends C 3 to O. Furthermore, U proves to O that the values in step^were 
chosen correctly by executing 



PK{{a,!3,^,5,e,C,d,0-- Ci = {g^oT{hi,Y A Ci = {g^oV {h^oY A 
Cl = {glnhlY A ■ = {glYihlY A 



(C'|)(2'^ + '-l) 



P 



(U,0) 



= {alr{blY AjGPAdGA}. 



6. O stores N(^u,o), P'^u.o) P(u,o)- 

1. U stores N(^u,0), Pfu,0)> P{u,0), and S([/,o)- 
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4.4 Generation of a Credential 

A credential on {N, P) issued by O is a pair (c, e) S x A such that P(jj, 0 )do = 
c^. To generate a credential on a previously established pseudonym with 

validity tag P(jj,0)j organization O and user U carry out the following protocol: 

Protocol 2 

1. U sends {N(u^o)t P(u,0)) io O and authenticates herself as its owner by exe- 
cuting 

PK{{a,P) : = {alriblf} . 

2. O makes sure {N(jjo),P{u,0)) is in its database, chooses a random prime 

Hu, 0 ) Cfl computes C(jj^o) = mod no, sends C(u, 0 ) 

and e(u^o) to U and stores {c(^u,0)j C(u,0)) Us record for N/jj^q)- 

3. U checks if C(jj o)‘^’-o,o) = P(^uo)do (mod no) and stores (c((7_o)! e(c/,0)) 
its record with organization O. The tuple {P{u,o)tC(u^o)-iO(jj^o)) is called a 
credential record. 

Stepncan be omitted if Protocol |2| takes place in the same session as some other 
protocol where U already proved ownership of N(jj o)- 

4.5 Showing a Single Credential 

Assume a user U wants to prove to a verifier V the possession of a credential 
issued by O, i.e., possession of values {P{jj,0) = ao'^6o"'’°\c(c/_o),e(c/,o)), where 
^{u 'o) ~ doP{u,0)- U and verifier V engage in the following protocol: 

Protocol 3 

T U chooses r\,r 2 {0,1}^^", computes A = C(jj^o)Ko P = hQgQ, and 

sends A, B to V . 

2. U engages with V in 

PK{{a,M,5,e,f,0-- dl = {A^)‘^ {\)P A 

Oq Oq n,Q 

B^ = {hlngl)^ A 1 = [bX{XY{\)^ a 

o-o 9o 

Per A 7sz\ A ae A} . 

The PK in step |21 proves that U possesses a credential issued by O on some 
pseudonym registered with O. We refer to the proof of Lemma El in the full 
version of this paper jI2| for more details about this PK. 
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4.6 Showing a Credential with Respect to a Pseudonym 

Assume a user U wants to prove possession of a credential record (P(u,Oj) = 

to organization Oi with whom U has established a 
pseudonym {N(jjOi), P(u,Oi))- That means Oi not only wants to be assured that 
U owns a credential by Oj but also that the pseudonym connected with this 
credential is based on the same master secret key as P/jj Oi)- 

Protocol 4 

1. U chooses random r\,r 2 ,r^ Gn {0,1}^^", computes A = C(jj^Oj)h^o 
B = ho QQ,, and sends N^u^Oi)^ ^ to Oi. 

2. U engages with Oi in 

PK{{a,M,5A,C,Lv)-- = A 

Oo, 

B^ = {hi^ngh/ A i = (R2r(^)^(^)f A 

90j 

P(u,o.) = ^|3G^^-1GA^aGA}. 

The first three equations of this proof of knowledge are the same as Protocol El 
The fourth equation proves that the same master secret key is used in P(u,Oi) 
and in the validating tag to the pseudonym established with Oj. 

In the random oracle model, the verifier (or verifying organization) can ob- 
tain the receipt from a showing transaction by turning step 2 of Protocol 4 (or 
Protocol 3, respectively) into the corresponding SPK on the description of the 
transaction. This step will add efficiency and also will enable a user to sign an 
agreement with a verifier using her credential as a signature public key. This 
could, for instance, be useful if possessing a credential means being allowed to 
sign on behalf of the issuing organization (cf. group signatures). 

5 Proof of Security for the Basic Credential System 

The following technical lemmas about the protocols described above are stated 
here without proof; their proofs can be found in the full version of this paper m 

Lemma 1. Under the strong RSA assumption and the decisional Dijfie-Hellman 
assumption modulo a safe prime product, step 0 of Protocol^ (the protoeol for 
establishing a pseudonym) is a statistical zero-knowledge proof of knowledge of 
the eorrectly formed values xjj, S([/,o) that correspond to a pseudonym validating 
tag P(u, 0 )- 



Lemma 2. Under the strong RSA assumption and the decisional Diffie- Heilman 
assumption modulo a safe prime product, step 0 of Protocol 0 (the protoeol for 
showing a single eredential) is a statistical zero-knowledge proof of knowledge of 
the values x G P, s G A, e G A, and c sueh that x, s eorrespond to a pseudonym 
validating tag P = aQbQ, and c® = Pdo mod no- 
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Lemma 3. Under the strong RSA assumption and the decisional Dijfie-Hellman 
assumption modulo a safe prime product, step of Protocol^ (the protocol for 
showing a credential corresponding to a given validating tag P[u,Oi)) *■5 ^ statis- 
tical zero-knowledge proof of knowledge of the values x € P, si, S 2 € A, e € A, 
and c such that P(u,Oi) = noi, x, S 2 correspond to a validating tag 

P = UqPq, and c® = Pdoj mod no^ holds. 

5.1 Description of the Simulator 

We now describe the simulator S for our scheme and then in Section 1!^ show 
that it satisfies Definition 0 

Setup. For the organizations not controlled by the adversary, the simulator sets 
up their secret and public keys as dictated by the protocol. For each organization, 
the simulator creates an archive where it will record the credentials issued by 
this organization to the users controlled by the adversary. It also initializes a list 
of the users controlled by the adversary. 

Generation of a pseudonym. If a user controlled by the adversary establishes 
a pseudonym from an honest organization, the simulator uses the knowledge 
extractor of Lemma Eto discover the user’s underlying key x and the value s. If 
no user with key x is present in the list of dishonest users, S creates a new user 
U with login name Ljj, and runs FormNym(f7, O) to create a pseudonym N(jj^o) 
for this user, and to obtain a key Kjj for further interactions of this user with 
T. The simulator stores the record (C7, Lu, x, Ku, Npfj o)^ s) in its list of users 
controlled by the adversary. If some user U with key x is already present, the 
simulator runs FormNym(t7, O) to create a pseudonym N(jjo) for this user, and 
adds {N(^ij^o)A) to U's record. 

If an honest user, through T, establishes a pseudonym with an organization 
controlled by the adversary, our simulator will use the zero-knowledge simulator 
from Lemma ^ to furnish the adversary’s view of the protocol. 

Generate a credential. If a user controlled by the adversary requests a credential 
from an honest organization O, then, upon receiving a message from T to that 
effect, the simulator runs the knowledge extractor for the proof of knowledge of 
step n of Protocol 13 It determines the values x and s. The simulator looks at its 
list of the pseudonyms of users controlled by the adversary. If it does not find 
a record with x and s, then it refuses to grant a credential (as an organization 
would) . If it finds that there is a record containing these x and s and pseudonym 
N, then the simulator runs GrantCred(iV, O) with T. Upon hearing from T that 
the user may have a credential, the simulator runs the organization’s side of the 
rest of the ProtocolQ, and issues the correct e and c. It stores the values (x,s,e,c) 
in the archive for organization O. 

If an honest user, through T, requests a credential from an organization 
controlled by the adversary, then the simulator will run the zero-knowledge sim- 
ulator for stepdof ProtocolQ and execute the rest of the user’s side of it. If the 
user accepts, then the simulator informs T that the credential was granted. 
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Showing a single credential. This part of the simulator can easily be inferred 
from the part for Showing a credential with respect to a pseudonym that follows. 

Showing a credential with respect to a pseudonym. If a user controlled by the 
adversary wants to show a credential from an honest organization Oj to an honest 
organization Oi with whom it has pseudonym then the simulator runs 

OiS part of Protocol^ and extracts the user’s values {x,S(ij^Oi)j with 

the knowledge extractor of Lemma |3 If OiS side of Protocol 01 accepts, while 
(x,S(^ij,Oj)i^jC:) is not in the archive of Oj, then S rejects. Otherwise, it finds the 
user U with key x, the user’s corresponding key K and pseudonym N(jjq^) and 
runs VerifyCred(Oj, N(^u,Oi), N(u,Oj),Oj). 

If a dishonest user wants to prove to an honest organization Oi that he has 
a credential from a dishonest organization Oj, then the simulator runs Oi’s side 
of Protocol El with the knowledge extractor of Lemma O to obtain the values 
(x, S(jj^Oi)i Sj e? c). If OiS side of the protocol rejects, it does nothing. Otherwise: 
(1) It checks if there exists a user with key x in O^’s archive. If so, denote this 
user by U. If not, let U be the user with key x. Next it runs FormNym(C/, Oj) to 
get N(jj^o) ■ (2) It checks if U has a credential record in Oj ’s archive. If not, it runs 

GrantCred(iV(j/_o,,),Oj). (3) It runs VerifyCredOnNym(Oi, 

If an honest user (through T) wants to prove to organization Oi controlled 
by the adversary, that he has a credential from an honest organization Oj, then 
the simulator runs the zero-knowledge simulator of Lemma El to do that. 

5.2 Proof of Successful Simulation 

We show that our simulator fails with negligible probability only. As a first step, 
we show in Theorem El that a tuple (x, s, e, c) the knowledge of which is essential 
for proving possession of a credential, is unforgeable even under an adaptive 
attack. For this we rely on the following theorem due to Ateniese et al. 0: 

Theorem 1. Suppose an in-bit RSA modulus n = pq = {2p' l)(2g' -|- 1) is 

given, where p, q, p' , and q' are primes. Let A' =] — II' =] — T,T[ 

and A' =]2^^' , 2^^'+^^' [ with 2^^' > T > 2^^’- and Ia> > Is'+Ia' + 3. Suppose 
random b,d QRn are given. Further, suppose we have occess to an oracle 
which, on the i-th query outputs tuples (yi,ei,Ci) such that yi II', Ci A' 
is a prime, and c®* = b^'d mod n. Under the strong RSA assumption, it is hard, 
upon seeing the oracle output for 1 < i < K , K polynomial in in, to produce a 
tuple {y,e,c) such that for all 1 < i < K, {y,e) ^ {yi,ei), and y S A' , e € A' , 
and = {IFdlf'. 



Theorem 2 . Suppose an in-bit RSA modulus n = pq = {2p' -\- l)(2g' -|- 1) is 
given, where p, q, p' , and q' are primes. Suppose random a,b,d G/j QRn are 
given. Further, suppose we have access to an oracle O which, on the i-th query 
with a value Xi € F, outputs a tuple (si,6i, ct) such that that Si Gr A, et €r A is 
a prime, and c®’ = a'^'b^'d. Under the strong RSA assumption and the discrete 
logarithm assumption modulo a safe prime product, it is hard, upon seeing the 
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oracle output for 1 < i < K , K polynomial in £„, to produce a tuple {x, s, c, e) 
such that for all 1 < i < K , (x, s, e, c) ^ (xi, Si, q, e^), and x€F, s€ A, e€ A, 
and c?^ = {a^b'^dY mod n. 

Proof. We will prove our theorem by exhibiting a reduction to Theorem ^ The 
reduction has access to a forger A that forges a tuple (x,s,e,c) under condi- 
tions stated in the theorem. Using A, the reduction will forge a tuple (y, e, u) 
under conditions stated in Theorem ^ This, in turn, contradicts the strong RSA 
assumption. 

The reduction will take, as input, the public parameters (n, 6, d) as in Theo- 
rem ^ Then it will define the public parameters for the setting of the theorem: 
b and d are as given, and to form a, pick a [0,n/4] and set a := 6“. 

Then, the reduction makes K queries and obtains a set of tuples {(j/i, e^, Ci)}. 
Now the reduction proceeds as follows: upon receiving a query Xi S P, set 
Si '■= Vi — ctXi. Setting the parameter T of TheoremGlto 2^^ — will assure 

that Si G A. Setting £a = e{£A+£n) + 1 with e > 1 (cf. Section assures that 
T > 2^" and also that Si will be distributed statistically close to uniformly from 
A. Further, note that a^'V'd = = a^'d = Setting £^i = £-^ and 

£a' = £a, the tuple (si, ej, c^) is distributed statistically close to the distribution 
induced by the actual oracle O. 

After answering the AT queries, the reduction receives from the forger a tuple 
(x,s,e,c) such that for all 1 < i < AT, (x,s,e,c) (xi,Si,ei,Ci), x € P, s € A, 
e € A, and = (a^b^d)^ mod n. Compute y = s + ax. Setting £'^ of Theorem E 
to £a + ^ gives us the condition £a = £a> > £s' + £a’ +3 = £s P £a P 
(cf. Section . With these settings, the triple (y, e, c) constitutes a forgery for 
Theorem Q provided that (y, e) (yi,ei) for all i. 

Suppose the probability that (y, e) = (yi,ei) for some i is non-negligible. 
Then we can use A to break discrete logarithm modulo n. Suppose (y, h) G QRn 
are given. It is known that finding (ai,/3i) and a distinct (q!2j/ 32) such that 
is hard if factoring is hard and computing discrete logarithms 
modulo a safe prime product is hard. 

The reduction takes, as input, the modulus n, and the values (y, h). Then it 
selects AT random primes {e^ G_r A}f^i, chooses a random v G_r QRn, and sets 
d = a = yni=i ®b ^ Si . 

On input {xi^Vf), do the following: select an Si A. Compute the value 

= Y\f=i Set Ui := . Note that by construction, c®’ = 

a^'b’^'d. Then output (si,ei,Ci). With non-negligible probability, obtain a forgery 
(x,s,e,c) from the forger such that (x,s,e,c) y^ {xi, Si,ei,Ci) for all i, and yet 
for some i, {a^^¥'d)'^ = {a^b^dy. Because a,b, and d are quadratic residues, it 
follows that a^'b^^d = a^b“d. From here, we either break the discrete logarithm 
problem or factor n. 



Lemma 4. Under the strong RSA assumption and the decisional Diffie-Plellman 
assumption modulo a safe prime produet, the simulator rejects with only negligi- 
ble probability. 
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Proof. (Sketch) Note that the only time when the simulator rejects is when a 
dishonest user makes the verifier accept in Protocol 0 or in Protocol 0 and yet 
the tuple {x, s, e, c) extracted by the simulator was not given to the adversary 
by the simulator itself. Under the appropriate assumptions, by Lemmas |3 and 0 
knowledge extraction succeeds with probability 1 — neg(fc). Then if we are given 
an adversary that can make the simulator reject non-negligibly often, we can use 
this adversary to create a forgery to contradict Theorem 0 

The statistical zero-knowledge property of the underlying protocols gives us 
Lemma O which in turn implies Theorem El 

Lemma 5. The view of the adversary in the real protocol is statistically close 
to his view in the simulation. 



Theorem 3. Under the strong RSA assumption, the decisional Diffie- Heilman 
assumption modulo a safe prime product, and the assumption that factoring is 
hard, the credential system described above is secure. 

6 All-or-Nothing and PKI-Based Non-transferability 

The protocols described in Section 0 ensure consistency of credentials, i.e., cre- 
dential pooling is not possible. However, credential (or pseudonym) lending is 
still possible. More precisely, revealing to a friend the secrets xjj and S(( 7 ,Oi) 
attached to some credential does not mean that the friend obtains some other 
valuable secret of the user or can use any of the user’s other credentials. This 
section provides protocols to obtain PKI-based non-transferability and all-or- 
nothing non-transferability to discourage users from credential lending. 

The idea of the former is that the user provides the CA with a (verifiable) 
encryption of some valuable external secret that can be decrypted with xjj- 
The idea for achieving the latter is similar, i.e., the user provides each orga- 
nization with a (verifiable) encryption of the secrets underlying her validating 
tag. This approach raises some technical problems: 

First, the approach requires that each user encrypts each of her secret keys 
Di under one of her public keys Ej, thereby creating “circular encryptions”. 
However, the canonical definitions of secure encryption do not provide se- 
curity for such encryptions. Moreover, it is not known whether circular security 
is possible under general assumptions. Nevertheless, we introduce in this section 
a new cryptographic primitive called circular encryption which is an encryption 
scheme that provides security for circular encryptions. Given any semantically 
secure encryption scheme, we provide a generic construction of such a scheme 
and prove its security in the random oracle model 

Second, the encryptions made by a user must not reveal the public key this 
encryption was made with, i.e., we require that the encryption scheme be key- 
oblivious. We provide a formal definition of this and show that our circular 
encryption scheme satisfies it. 
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Third, the encryption must be verifiable. To this end we review the verifi- 
able encryption protocol due to Camenisch and Damgard m and adapt it to 
suit our needs. Specifically, we want to enable verification without revealing the 
public key. We provide a verification method involving a committed public key, 
so that by inspecting this verifiable encryption, an adversary would not be able 
to discover the underlying public key. 

Independently of and concurrently with our work. Black et al. proposed 
symmetric encryption schemes for key-dependent messages (which is what we 
call circular symmetric encryption) and Bellare et al. 0 studied key-private 
encryption (which is what we call key-oblivious encryption). 

6.1 Circular Encryption 

Definition 2. Let n,m € poly(fc). A semantieally secure encryption scheme 
G = (iS,2^) is circular- seeure if 

1. There exists a message, denoted by 0, such that for all E G f (1^), 0 is in 
the message spaee of E. 

2. For all E\ G F(l^), D 2 G V(l^), the message space of E\ includes D 2 . 

3. For all n-node directed graphs G with m edges, given n randomly chosen 
public keys, {Ei}^^^, we have: {E^{Dj)}(^ij)^E(G) ^ {■E^i(0)}(ij)G£;(G) ■ 

The idea here is that having access to encryptions of the secret keys does 
not help the adversary in breaking the security of the system. Note that if, in 
the definition above, we had limited our attention to acyclic graphs, then any 
semantically secure cryptosystem would be enough to satisfy such a definition. 
As the definition can only be more powerful if we include graphs that have cycles, 
we call this notion of security “circular security.” 

Let us present a cryptosystem that satisfies this definition in the random 
oracle model. Suppose the length of a secret key is p{k). Let H : {0,1}* — >■ 
(0, be a random oracle, and let © denote the bitwise XOR operation. 
Let G = {£, T)) be a semantically secure cryptosystem with a sufficiently large 
message space. Construct G' = {S' ,V) as follows: generate (E,D) according 
to G- To encrypt a message m G (0, E' picks a random r Gr {0,1}^ 
and sets E'{m) := (E{r),'H{r) © m). To decrypt a tuple (a, 6), D' computes 
TO := FL{D{a)) © b. For this construction, the following theorem holds (the proof 
can be found in the full version of this paper m)- 

Theorem 4. If G is semantically secure, G' is circular- secure. 

As a basis for our circular encryption scheme, we use the ElGamal encryp- 
tion in some G = (g). It is easy to see that the ElGamal cryptosystem is 
semantically secure under the decisional Difhe-Hellman assumption. Let P = g^ 
be a public key. The resulting circular encryption scheme is as follows. To encrypt 
a message to G |0, 1}^', choose a random element ri G G and a random integer 
T 2 G {0,1}^^, and compute the encryption (u,v,z) := {P^’^ri, g^^ ,'H{ri) ©to). 
Decryption works by computing 'H{u/v^)(Bz. We denote this encryption scheme 
by CEIG. 



110 Jan Camenisch and Anna Lysyanskaya 



6.2 Verifiable Encryption with a Committed Public Key 

Verifiable encryption ini3, is a protocol between a prover and a verifier such 
that as a result of the protocol, on input public key E and value v, the verifier 
obtains an encryption e of some value s under E such that (s,u) G TZ. Here TZ 
is a relation such as, e.g., {(s,g®)|s G "Lq) C'LqX G. More formally, 

Definition 3. Let {£,T>) be a semantically secure encryption scheme. A two- 
party protocol between a prover V{TZ,E,s,v) and a verifier V{TZ,E,v) is a ver- 
ifiable encryption protocol with respect to public keys £ for a polynomial-time 
verifiable relation TZ if 

- For all (E,D) G 1/(1*) and for all {s,v) G TZ, if 'P and V are honest then 
'^v(n,E,s,v){T^-,E,v) yf -L. 

- There is an efficient extractor algorithm C such that for all sufficiently large 
k, and'i{E,D) G (£’,P)(1*) 

Pr[(C'(D,e),u) G 7^ | e = „)(7^, E, u) A e _L] = 1 - neg(fc) . 

- There is a black-box simulator S such that V V, V(s,u) G TZ we have 
S^^^'^'’"){TZ,E,v) ~ V-p{'R.,E,s,v)i'hZ, E,v), where the probability “hidden” in 

C ~ 

the ~ notation is over the choice of E and the random cointosses ofV. 

Note that e is not a single message from the prover, but the verifier’s entire 
transcript of the protocol. Furthermore, C does not necessarily extract the same 
s that was the additional input to the prover. It could extract some other value 
s' s, but only if (s', v) G TZ. 

It is clear that an (inefficient) way of implementing verifiable encryption 
would be for the prover to encrypt s under the public key E, and then carry 
out a zero-knowledge proof that the encrypted value satisfies relation TZ with 
respect to v. But this is not satisfactory, because it is important that verifiably 
encryption be executed efficiently enough to be useful in practice. Generalizing 
the protocol of Asokan et al. P, Camenisch and Damgard m provide a practi- 
cal verifiable encryption scheme for all relations TZ that have an honest-verifier 
zero-knowledge three-move proof of knowledge where the second message is a 
random challenge and the witness can be computed from two transcripts with 
the same first message but different challenges. This includes most known proofs 
of knowledge, and all proofs about discrete logarithms considered in this paper. 
Their construction is secure with respect to any public key for a semantically 
secure cryptosystem. 

We use similar notation for verifiable encryption as for the PK’s and denote 
by, e.g., e := FA(EIGamal, {g,y)){{£,) ■ a = b^} the verifiable encryption protocol 
for the ElGamal scheme, whereby log;, a is encrypted in e under public key (y, g). 

For guaranteeing the all-or-nothing non-transferability, we need to have each 
user verifiable encrypt all of her secret information under a public key that 
corresponds to her secret key. However, revealing this public key will leak in- 
formation about the user. Therefore, we need to realize verifiable encryption 
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in such a manner that the public key corresponding to the resulting ciphertext 
cannot be linked to the verifier’s view, i.e., a verifiable encryption scheme must 
be key-oblivious: 

Definition 4. Let (V, V) be a verifiable eneryption seheme with respeet to publie 
keys £, for a polynomial-time verifiable relation TZ. We say that this scheme 
is key-oblivious if for all polynomially bounded V, for all E,E' G and 

V(s,v) G TZ we have V-pi^n,E,s,v){'J^,v, E, E') « V-p{n,E>,s,v){T^,v,E,E'), where 

C 

the probability “hidden” in the ~ notation is over the random cointosses ofV. 

In case the verifier does not know the public key under which the encryption 
is carried out, previously known constructions do not work, as they require 
that the verifier be able to check that a given ciphertext is an encryption of a 
given value. Thus we propose a new construction, based on the circularly secure 
variant of the ElGamal cryptosystem described above. Here we assume that the 
prover T’ knows the secret key of the encryption; this is not the general case, 
but it works for our construction. Let P = serve as a public key, and x as 
the corresponding secret key. Let C = Ph'' be a commitment to P, where h is 
another generator of G = (g), and let {u,v,z) = (P'~^r\,g”‘^ ,'H{r{) © m) be an 
encryption of m as above. To convince the verifier that (u,v, z) is an encryption 
of m under the public key committed to by G, the prover reveals ri and engages 
with the verifier in PK{(a, /3,j) : C = A v = g'^ A u/ri = v°‘}. The 

verifier further needs to check if z = 'H(r'i) © m. By using techniques developed 
by Camenisch and Damgard cni, a key-oblivious verifiable encryption scheme is 
obtained. 

In the sequel, we write, e.g., Com-VE{CE\G,{'H,g,h,C)){{^) : a = b^} for 
this key-oblivious verifiable encryption with respect to a committed public key. 
The proof of the following lemma uses standard techniques and is given in the 
full version of this paper m 

Lemma 6. Under the decisional Diffie- Heilman assumption, the verifiable en- 
cryption scheme described above is key-oblivious. 

6.3 All-or-Nothing Non-transferability 

As already mentioned, all-or-nothing non-transferability is achieved by ensuring 
that if a user U gives away her master secret xjj, then she will also reveal the 
secret keys underlying her validating tag with O. More precisely, U has to supply 
O a verifiable encryption of these secrets w.r.t. the secret key xu- This is done 
in the following protocol, which U and O should carry out as part of Protocol [U 
A prerequisite of the protocol is that during the setup of the system, a group 
G = (g) = ih) of prime order g > 2^^ is chosen such that log^ h is unknown. 

Protocol 5 

1. U chooses r Gr 'Lq, sets C := g^^h” , and sends C to O. U proves to O that 
C is a commitment to her public key by carrying out 

PK{(j,d,ip): P^u,0) = (aoriblf A C = g^h^} . 
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2. U and O engage in the verifiable encryption protocol 

'^Pi.u.o) = Com-VE{CEIG,{H,g,h,C)){{a,/3) : = (oo)“(&o)^} . 

3. O publishes N(jjq-^ andwp^^^y 

However, publishing is not sufficient for using [f’s creden- 

tial with O even when knowing xp. Therefore, the organizations must publish all 
related information together with the verifiable encryption. Hence, at the end 
of Protocol 121 O must publish (c([/,o)) e(c/, 0 )) together with Nfjj^o)- Thus, we 
obtain all-or-nothing transferability: whenever a user’s friend gets to know xp, 
he can look at the organizations’ public records to obtain all information needed 
to use all the user’s credentials. 

6.4 PKI-Assured Non-transferability 

We assume that the user possesses some external valuable public key PKp . Then 
PKI-assured non-transferability is achieved by having the CA ask for this public 
key, check whether it is indeed the user’s public key (e.g., via some external 
certificate), and require the user to verifiably encrypt the corresponding secret 
key SKp with respect to xp. This verifiable encryption is then published by the 
CA. Now, if the user ever gives xp away to her friend, then her friend, by reading 
the CA’s public records, will recover the verifiable encryption of SKp, and will 
succeed in decrypting it. 

The technical realization is similar to the one for all-or-nothing non-trans- 
ferability. The main difference is that we do not need circular encryption and 
thus can use regular ElGamal. We give an example for what this protocol looks 
like when [/’s external public key Yp is discrete-logarithm based, i.e., Yp = g^ 
for some generator g in some group G. Other cases are similar. A prerequisite 
of the protocol is that during the setup of the system, a group G = (g) = (h) of 
prime order q > 2^’' is chosen such that log^ h is unknown. 

Protocol 6 

1. U sends Yp, g, and the certificate on Yp of the external PKI to CA who 
checks their validity. 

2. U chooses r €p hq, sets C := g^^K, and sends C to CA. U proves to CA 
that C is a commitment to her public key by carrying out 

PK{{^,d,g,)-. = (aOor(^Oo)’’ A C = g^h^} . 

3. U and CA engage in 

wpKi = Com- VE{EIGamal, (fU, g, h, C)){(a) : Yp = g°‘} . 



4-. C A publishes {w PKI, PKI). 
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7 One-Show Credentials and Revocation 

This section describes how the basic credential scheme can be extended to allow 
for global and local revocation as well as to enable organizations to issue one- 
show credentials. 



7.1 One-Show Credentials 

The credentials we considered so far can be shown an unlimited number of times. 
However, for some services it might be required that a credential can only be 
used once (e.g., when it represents money). Of course, one possibility would be 
that a user just reveals the credential to the verifier. This, however, would mean 
that the user is not fully anonymous any more as the verifier and the organi- 
zation then both know the credential and thus can link the transaction to the 
user’s pseudonym. Traditionally, this problem has been solved using so-called 
blind signatures ca Here, we provide a novel and alternative way to approach 
this problem, i.e., instead of blinding the signer we blind the verifier. In the 
sequel we describe the general idea, the changes to the protocols that need to 
be made, and provide a protocol for showing one-show credentials. 

Addition to key generation. Each organization O publishes an additional 
generator zq G QRuq- 

Changes to Protocol ^ The validating tag P(u, 0 ) on a user’s pseudonym 
N(^u,0) is formed slightly differently: P(u,o) = where rf^uo) i® 

chosen by O and U together in the same way as S(c/,o) is- (Credentials, however, 
are issued in the same way as before, i.e., U obtains C(^u^o) e(u,o) such that 
= P{u,0)do (mod no) holds.) 

Showing a one-show credential. When proving possession of a one-show 
credential issued by O (with respect to a pseudonym or not), the user provides 
to verifier V (which might be an organization) the value H(jjo) = and 

proves that it is formed correctly w.r.t. to the pseudonym U established with O. 
Of course, the various proofs of knowledge in the respective protocols have to be 
adapted to reflect the different form of the pseudonym U holds with O. These 
adaptions, however, are immediate and we do not describe them here. 

Now, different usages of the same credential can be linked to each other but 
not to the user’s pseudonym with the issuing organization. This allows to prevent 
users from using the same credential several times, if the verifier checks with the 
issuing organization whether H(jj o) was already used or not, similar as it is done 
for anonymous on-line e-cash. 

Off-line checking could be done as well. As here double usage can only be 
detected but not prevented, a mechanism for identifying double-users is required. 
This could for instance be achieved using revocation as described in the previous 
section, or using similar techniques that are used in for anonymous off-line e-cash 
(e.g., 0 ). 
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We now describe how the latter can be done such that using a one-show 
credential twice would expose the user’s secret keys connected with the corre- 
sponding pseudonym. Together with (any kind of) non-transferability this would 
be quite a strong incentive for the users not to use one-show credentials twice. 
The main idea is that the verifying entity chooses some random challenge c 
from a suitably large set, say {0, 1}^° with = 60, and the user replies with 
r = cxjj + S(jj o) proves correctness of this result. To assure that r hides Xjj 
statistically, we must have that > e(^r + ^c) because Xu G F and G A. 

However, when a user uses the same credential twice, one can compute xjj from 
the the different replies the user provides. We present the resulting protocol for 
showing a single credential (cf. Protocol Ej)- 

Protocol 7 

1. U chooses ri,T 2 Gr {0, 1}^^", computes A = C(jjOi)h^o B = h^Qg^Q , and 
sends A,B,H(jj o) to V. 

2. V chooses c Gr {0, 1}^° and sends c to U. 

3. U replies with r = cxjj + S(^u,0) (computed in 1). 

J^. U engages with V in 

'^o 

B^ = {hlnglf A l = A 

9o 

H{u, 0 ) = 5o = {9o)^9o ^ P G F A j G A A if G A A a G A} . 

The adaption of Protocol Q to implement one-show credentials with built-in 
anonymity revocation is similar. 

7.2 Local and Global Revocation 

For simplicity we assume a single revocation manager R who is responsible for 
local and global revocation (extending the scheme to one revocation manager 
per organization is easy). Given the transcript of a protocol where some user 
proved possession of a credential from organization Oi, R will have the task of 
providing information that allows the organization to identify the pseudonym of 
the user in case of local revocation, or allows the CA to retrieve the identity of 
the user. 

In the sequel we describe how the protocols for proving possession of a creden- 
tial must be adapted such that local revocation is possible using Cramer-Shoup 
encryption 1221 . We then discuss global revocation. We remark that it can be 
decided at the time when the possession of a credential is proved whether local 
and/or global revocation shall be possible for the transaction at hand. 

Additions to key generation. The revocation manager R chooses a group G = 
{g) = {h) of prime order q > 2^^. The he chooses five secret keys Si, . . . , ccs Gr 
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Zq and computes (yi, 2 / 2 , J/s) := as his public key. Each 

organization O publishes an additional generator vq C QRno ■ 

Changes to Protocol ^ A validating tag P(u,o) ^ user’s pseudonym N(^u^o) 
is formed slightly differently: P(u,0) = where X(^u,0) is chosen 

from P by U. However, credentials are issued in the same way as before, i.e., U 
obtains C(^uo) ^tnd such that — P{u,0)do (mod no) holds. 

If Protocol [Dis carried out with the CA, it is extended by the following steps. 

8. U computes Yjj = g^^ and sends Yu to CA. 

9. U engages with CA in 

Pif{(a,/ 3 , 7 ) : PIu,ca) = A = 5“ A 7 e ^ ■ 

10. Both CA and U store Yu with P(u,CA)- 

In case Protocol Q is carried out with an organization O different from the CA, 
it is extended by the following steps. 

8. U computes Yfjjo) = and sends Y(^u,0) to O. 

9. U engages with O in 

Pif{(a,/ 3 , 7 ) : P^uo) = («o)“(&o)''(^o)'^ A Y^uo) = g^ A j G P} . 

10. Both O and U store Y(jj o) with P(u,CA)- 

Changes to Protocols and 01 Suppose Protocol 13 (resp.. Protocol 0) is be- 
ing executed. Suppose the user U and the verifying organization V agree upon 
text m that describes under what conditions V can find out U’s identifying in- 
formation. Specifically, m describes the conditions under which V may find out 
U's pseudonym with the issuing organization O, as well as the conditions under 
which V may find out U’s identity. The text of m can also include part of the com- 
munication transcript of the current protocol. The former mode of anonymity 
revocation is called local revocation, while the latter is called global revocation. 
We provide the two protocols to be executed as sub-routines of Protocol El (resp.. 
Protocol EJ in order to get local and/or global revocation, respectively, where 
the user proves possession of a credential issued by organization O. 

Protocol 8 (Global Revocation) 

1. U chooses T2 Gr In o.nd computes wi := 5''^, W2 ■= , W3 := y'^Yu, and 

W4 := y'^2 yr2'H{wi ,W2 ,W3 ,mo) sends W(^u,R) = {wi,W2,W3,W4) to V. 

2. U and V engage in 

P 7 f{(a,/ 3 , 7 , 5 ,£,e): 4 = A W4 = A 

"o 

LE A 0 e A I 'H{wi,W2,W3,mo)\e', 

W2 = u A W 3 = gPyl A W4 = (2/12/2 ) } • 
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Protocol 9 (Local Revocation) 

1. U chooses ri Zg and computes wi := , W 2 ■= , W 3 := y^^Y(jj o), 

and Wi = and sends W([/,_Ri) = ('ii'i, ^ 2 , W 3 , W 4 ) to V. 

2. U and V engage in 

P7f{(a,/3,7,5,e,6: dl = {A^T {\f {\)^ A w^ = g^ A 

“o °o '^o 

W2 = h^ ^ w, = g^yl A n;4 = V} . 

Revocation. Upon presentation of an encryption w = {wi,W 2 ,W 3 ,W 4 ) and a 
revocation condition m, stemming from Protocol|3or|3 the revocation manager 
checks whether W 4 = ^“i+^3^(“ill’"2||iu3||m)^^2+a:4W(t«ilU2||iu3||m) whether m 

is satisfied. If these checks succeed, he returns Y := ws/w^^. In case of local 
revocation, Y will allow retrieval of the user’s pseudonym with the organization 
that issued the credential of which that user proved possession. In case of global 
revocation, Y will allow the CA to retrieve the identity of the user. 

7.3 Encoding Expiration Dates and Other Personal Attributes 

Expiration dates and other attributes of credentials can be encoded in the ex- 
ponent e(jj^o) Ets this is the organization’s choice. We need to divide the interval 
A into subintervals. Then, if a user is required to prove certain attributes of her 
credential, she proves that the exponent lies in the subinterval instead of proving 
that it lies in A. 
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Abstract. We consider the question of protecting the privacy of cus- 
tomers buying digital goods. More specihcally, our goal is to allow a 
buyer to purchase digital goods from a vendor without letting the ven- 
dor learn what, and to the extent possible also when and how much, 
it is buying. We propose solutions which allow the buyer, after making 
an initial deposit, to engage in an unlimited number of priced oblivious- 
transfer protocols, satisfying the following requirements: As long as the 
buyer’s balance contains sufficient funds, it will successfully retrieve the 
selected item and its balance will be debited by the item’s price. However, 
the buyer should be unable to retrieve an item whose cost exceeds its 
remaining balance. The vendor should learn nothing except what must 
inevitably be learned, namely, the amount of interaction and the initial 
deposit amount (which imply upper bounds on the quantity and total 
price of all information obtained by the buyer). In particular, the vendor 
should be unable to learn what the buyer’s current balance is or when it 
actually runs out of its funds. 

The technical tools we develop, in the process of solving this problem, 
seem to be of independent interest. In particular, we present the first 
one-round (two-pass) protocol for oblivious transfer that does not rely 
on the random oracle model (a very similar protocol was independently 
proposed by Naor and Pinkas EH)- This protocol is a special case of 
a more general “conditional disclosure” methodology, which extends a 
previous approach from m and adapts it to the 2-party setting. 



1 Introduction 

Consider a scenario where a buyer wishes to purchase digital goods from a ven- 
dor without disclosing what it is buying, or even when exactly it is buying. For 
instance, the buyer may wish to subscribe to a pay-per-view service, where differ- 
ent costs are associated with different channels, or get an up-to-date information 
on its stock portfolio. In both cases buyers may wish to hide from vendors what 
items they are buying, or even whether at a given moment they are buying 
anything at all. 



B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 1 1fl- Tnn 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 
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In the realm of physical goods, it is inherently impossible to hide from the 
vendor what, when, and how much it is selling. Being bounded to a limited 
inventory, the vendor must keep track of how many items of each kind it has in 
stock. However, unlike physical goods, digital goods are typically of unlimited 
supply. The purpose of this paper is to exploit the difference between the physical 
and the digital worlds in order to obtain privacy of buyers in the following 
electronic commerce scenario. Assume that a buyer first deposits a pre-payment 
at the hands of a vendor Q The buyer should then be able to engage in a virtually 
unlimited number of interactions with the vendor in order to obtain digital goods 
(also referred to as items) at a total cost which does not exceed its initial deposit 
amount. After spending all of its initial credit, the buyer should be unable to 
obtain any additional items before depositing an additional pre-payment. This 
paper provides efficient ways to implement this, rather standard, e-commerce 
task with the added requirement of maintaining the buyer’s privacy. That is, the 
vendor should learn nothing except what must inevitably be learned: the amount 
of interaction and the initial deposit amount (which imply upper bounds on the 
quantity and total price of all information obtained by the buyer). In particular, 
the vendor should be unable to learn what the buyer’s current balance is or when 
it actually runs out of its funds. 

Traditional approaches for protecting the privacy of buyers, such as anony- 
mous digital payments (e.g., I3SI), do not address the problem of hiding which 
goods are being bought and when. This information, possibly combined with 
additional information from other sources (such as traffic analysis), may facili- 
tate attacks on the privacy of individual buyers 0 Moreover, strong anonymity 
is not only difficult to implement and prone to various types of attacks 0, but 
in some contexts it is also undesirable m- We stress that our solutions do not 
require anonymity of buyers and do not attempt to achieve this property. On 
the contrary, our work provides an alternative approach for protecting individual 
buyers engaging in e-commerce activities, which promises a different (and in a 
sense stronger) type of security. This approach is most beneficial when anonymity 
is insufficient, undesirable, or difficult to achieve. 

Priced Oblivious Transfer. The well-known oblivious trans/er primitive MbllHI4llb| 
provides a partial solution to our problem. If all items are identically priced, then 
the buyer’s initial deposit determines the number of items it is entitled to obtain. 
In this case, the vendor may allow the buyer to retrieve just the right number of 
items using multiple invocations of oblivious transfer. However, this solution is 
not applicable in the realistic scenario where the items are not identically priced. 
Moreover, coping with differently priced items may be highly beneficial even in 
the case that all “real” items have the same price. By adding a single dummy 
item with price 0, the buyer has the option of “buying” this item an arbitrary 
number of times for the sole purpose of hiding when it is buying real items. This 



^ By having the buyer pay to a third party, the vendor may be initialized with an 
encryption of the buyer’s deposit and therefore not even learn the deposit amount. 

^ One may argue that without any such information, the vendor can hardly optimize 
the offered goods. However, marketing-related information can still be voluntarily 
provided to the vendor by potential buyers. 



Priced Oblivious Transfer: How to Sell Digital Goods 



121 



added privacy feature is impossible to achieve with a standard use of oblivious 
transfer, unless the buyer is willing to pay for all the dummy items it retrieves. 

Obtaining a complete solution to our problem requires a more general proto- 
col that we call priced oblivious transfer. Assume that at the beginning of each 
phase of interaction the vendor holds an encryption of the buyer’s current bal- 
ance. A phase of interaction (also referred to as a transaction) should allow the 
buyer to privately retrieve a single item. This in itself is an oblivious transfer 
protocol. However, in this case we have the following additional requirements: 
(1) The buyer can only retrieve an item if its current balance is larger than the 
item’s price; (2) The price of the item the buyer retrieves should be decreased 
from the buyer’s (encrypted) balance. 

Broadcast Encryption. A prime motivating example for priced oblivious trans- 
fer is as follows. A vendor is broadcasting n different data streams. The data 
streams may be video, audio, or text and the content may be news, entertain- 
ment, technical and professional information, etc. To accomplish private buying 
in this setting, the vendor encrypts each of the n streams with a different key. 
The buyer and vendor then engage in a priced oblivious transfer protocol where 
the keys are the items being transferred. The buyer is then able to decrypt the 
data stream that it paid for, but as it does not have knowledge of the other keys, 
it is unable to gain access to the content of the other data streams. 

Subscriptions. An important extension to enabling the purchase of a single digi- 
tal good per transaction is to allow subscriptions. In a subscription scenario, the 
vendor changes the database periodically. Denote the ith data item at time j as 
x). The sequence of the ith data items over time, Xq, x\, . . ., is called the zth 
channel or channel stream. For example, a channel may be a daily financial white 
paper or a daily decryption key for a broadcast stream as above. In this setting 
the buyer is allowed to subscribe to a channel. As with a single data item from 
a static database, the channel to which a buyer subscribes should remain pri- 
vate. While the buyer is subscribed to a channel, it receives the sequence of data 
items of the channel and its balance is deducted by the appropriate amount each 
time period of the channel. The buyer remains subscribed to the channel until it 
explicitly unsubscribes or until its balance becomes negative. It is clear that the 
operation of subscribing to a channel can be simulated by repeated operations 
of purchasing an item. The issue however is one of efficiency and in particular 
it is a question of the communication pattern: While buying inherently requires 
some non-trivial interaction, maintaining a subscription should ideally require 
only efficient one-way communication from the vendor to the buyer. Allowing 
an efficient subscription implementation (with one-way communication) seems 
to be vital in many of the applications we have in mind. We therefore extend 
our solutions to handle this additional requirement. 

A Note Concerning Efficiency. The main goals of this work are to put 
forward a new problem, establish a “practical feasibility” result for this problem, 
and in the process develop some useful general tools. We do not attempt at minor 
optimizations which would complicate the presentation. Our solution should 
be mainly viewed as a feasible framework which may be the basis for further 
optimizations. 
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Additional Contributions. Several ingredients of our construction seem to be 
of independent interest. In particular, we obtain the first implementation of a 
1-round oblivious transfer protocol satisfying a “reasonable” security definition 
and provably secure under a “reasonable” security assumption. The security of 
our protocol can be based on the decisional Diffie-Hellman (DDH) assumption. 
A similar protocol has been independently obtained by Naor and Pinkas izq. 
The oblivious transfer protocol follows from a more general conditional disclosure 
methodology, which can be used in some contexts as a light-weight alternative to 
zero-knowledge proofs. In this we extend an “information-theoretic” technique 
from |I5 (see Section 12. It II and adapts it to the 2-party setting. In the course 
of addressing the case of subscriptions, we propose efficient solutions for the 
problem of privately retrieving a chosen prefix of a long stream of information. 

Related Work. General techniques for secure 2-party computation fMm may be 
used to solve our problem. However, similarly to most other works in this area, 
our goal is to use the specific structure of the problem at hand for providing far 
more efficient solutions than those obtained via general techniques. 

The current work has been greatly inspired by previous works on specific se- 
cure computation tasks such as private information retrieval (PIR) and oblivious 
transfer. In Section O we describe some relevant techniques from these works 
which we rely on or extend. A restricted “off-line” variant of our problem may 
be viewed as a special case of a generalized oblivious transfer primitive studied in 
Q. In a distributed multi-vendor setting, an off-line variant of our problem has 
been considered in HU . Adapting the solutions from H3m to our setting would 
result in very inefficient protocols. We stress that unlike the PIR-related context 
of HU, where the main concern is that of minimizing the asymptotic complex- 
ity as a function of the number of data items, most aspects of our problem are 
equally interesting even when the number of items is as small as 2. 

Organization. The remainder of the paper is organized as follows. In Section 0 
we specify the problem and its security requirements, and review the tools we 
will use. In Sectional we describe our basic protocol and its properties. We also 
discuss some efficiency improvements. In Section 0 we discuss an extension to 
the subscription scenario. Finally, in Section El we present the one-round OT 
protocol which is a special case of our methodology. 

2 Preliminaries 

2.1 Problem Specification 

As discussed in the introduction, our goal is to construct an “on-line” protocol 
between a buyer B and a vendor V which allows the buyer and the vendor to 
engage in multiple transactions. Both the buyer and the vendor are allowed to 
store a (short) state information between transactions. Before specifying the 
security aspects of the protocol, we will first describe its desired functionality. 

Initialization: At time 0, the buyer initializes its balance with a pre-payment 
to the vendor. 

Main Protocol: At time t, t = 1, 2, . . . 
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— The vendor may choose a database x = . . . , of n items for sale 

and some public information P concerning the identity of these items. P 
contains a price list p = By convention, is a dummy 

item with p^ = 0. 

— The buyer may then decide either to: 

• Buy the Tth item, where 0 < f < n; if the buyer’s remaining balance is 
sufficiently large (i.e., the combined price of all items previously received 
and the current price Pi does not exceed the initial deposit), the buyer 
receives Xi. 

• Subscribe to the f-th channel; by subscribing, the buyer indicates that it 
wishes to continue buying the f-th item until overriding the subscription 
with a new request. We assume that throughout the subscription, the 
buyer is charged the price p* effective when initiating the subscription 
(even though p may change). 

• Unsubscribe, i.e., terminate a previous “subscribe” request. 

• Do nothing, i.e., maintain its default subscription if such exists, and 
otherwise keep idle. 



2.2 Security Requirements 

Efficiency considerations dictate some compromises we make in comparison to 
full-fledged simulation-based definitions for secure computation (e.g., those of 
png). Nonetheless, our solutions are provably secure under standard security 
assumptions. Our formal security requirements, which are only sketched below, 
can be found in the full version. 

Both B and V are modeled by efficient randomized algorithms, and are ini- 
tially given a security parameter 1'^ and a number of items 1" as inputs. We 
assume that subsequent “inputs” are dynamically chosen by B, V as the proto- 
col proceeds. The protocol is assumed to terminate after a polynomial number of 
transactions. An honest buyer is restricted to choose items such that their total 
price does not exceed the initial deposit amount b^^\ We first address a default 
scenario which only allows the buyer to issue “buy” requests. A protocol {B, V) 
as above is considered secure if it satisfies the following requirements: 
Correctness. If both B and V are honest, then B outputs the correct item a;* 
at the end of each transaction. 

Buyer’s Security. A malicious vendor should not learn the choices made by 
an honest buyer. More formally, the view of any efficient (and possibly malicious) 
V* in the interaction (,B, V*)(l'^) can be efficiently simulated. We note that this 
requirement is weaker than that of general security definitions in that it does not 
address the effect V* may have on the output of B. In particular, V* does not 
need to “know” a database x which is effectively determined by its strategy in a 
given transaction. This is consistent with other definitions of related primitives 
(such as PIR, see Section 12.31 or even some definitions of oblivious transfer) . 

Vendor’s Security. A malicious buyer should not obtain more information 
than what its initial deposit allows. This is formalized by requiring that the 
interaction of B* with an honest vendor V could be efficiently simulated in the 
natural idealized model. 
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Our security definitions for the general case, where the buyer may take any of 
the four actions, are more subtle. In a nutshell, the vendor’s security requirement 
remains unchanged, and can be defined as above. The buyer’s security in this 
setting, may also be defined similarly to the above. However, such a definition 
will only be satisfied when the buyer’s action type is oblivious to the received 
items, i.e. depends only on public data (yet its specific selections i may also 
depends on received items). The reader is referred to the full version of the 
paper for a more detailed discussion. 

Finally, while we do not explicitly address issues of robustness or recovery 
from faults, our protocols can be extended in a straightforward manner to deal 
with these issues. 

2.3 Tools 

Homomorphic Encryption. Our constructions rely on the widely used tool 
of homomorphic encryption. Loosely speaking, an encryption scheme is said to 
be homomorphic if: (1) The plaintexts are taken from a group {H, +); (2) From 
encryptions of group elements hi , ft .2 h is possible to efficiently compute a random 
encryption of /ii + /i 2 - A useful consequence is that given an encryption of a group 
element h and an integer c in binary representation, one can efficiently compute 
a random encryption of c ■ h. This is done in a similar fashion to the repeated 
squaring procedure for modular exponentiation. 

In what follows H will always be a group of a (large) prime order Q. It is 
important to note that by “+” we denote an abstract group operation. Hence, 
our notation applies both in a case where H = Zq is an additive group, and 
where H C Zp is a multiplicative group. A useful example of a multiplicative 
homomorphic encryption is the El-Gamal scheme. (We refer the reader to, e.g., 
m for relevant definitions.) In this case, iJ is a subgroup of Zp, where Q is a 
prime of length k that divides P — 1. 

We prefer an additive notation over a multiplicative one due to its more 
intuitive nature in our context. However, our protocols can be instantiated with 
both types of encryption. We note that all of our constructions can be based on 
the El-Gamal encryption (whose security is equivalent to the DDH assumption, 
cf. [22) 1 and most on any other homomorphic encryption scheme candidate, e.g. 
mm- An additional property enjoyed by the El-Gamal encryption, which 
explains the above distinction, is discussed below. 

Verifiability. It is sometimes required to verify the validity of a public key 
k and the validity of a ciphertext c relative to a valid k. Luckily, the latter 
verification task is typically easy, and we can therefore assume it as part of our 
default requirements. However, in most encryption schemes the validity of the 
public key itself is difficult to verify. To this end a special zero-knowledge proof 
procedure may be employed during the initialization stage of our protocols. This 
step, however, is not always needed. A useful added feature of the El-Gamal 
scheme is that its public keys are easily verifiable: to verify that (P, Q, g, h) 
constitutes a valid public key, it is enough to verify that P, Q are prime, Q 
divides P — 1, and g'^ = h^ = 1 (mod Q). 



Priced Oblivious Transfer: How to Sell Digital Goods 125 



PIR. A Private Information Retrieval (PIR) protocol 0 allows a user to retrieve 
a selected item from a database while hiding the identity of this item from the 
server holding the database. PIR only requires the protection of the user, and 
makes no requirement on the privacy of the database. Thus, a naive solution to 
the PIR problem is to send the entire database to the user. When the database is 
large, this solution is very expensive in terms of communication. The main goal 
of PIR-related research has been to minimize the communication complexity of 
PIR, which is measured by default as the cost of retrieving one out of n bits. The 
current state of the art can be briefly summarized as follows. Assuming either 
a general homomorphic encryption |lflll7ll!7IJ or a stronger number theoretic 
assumption |^, the asymptotic communication complexity of PIR can be made 
very small. In practice, however, the naive solution is still preferable when the 
database does not contain too many items. Thus, when we use PIR as a building 
block in our protocols, one should always keep in mind that the naive solution 
can be used in a case where the number of items is small. 

Naor-Pinkas Pseudorandom Sequence. A variant of PIR where the user 
is restricted to learn no more than a single data item has been referred to in 
the literature as symmetrically private information retrieval (SPIR) |TT]PI In 
P3| (followed by PD|), Naor and Pinkas suggested the following reduction from 
SPIR to PIR. Suppose that there is an efficient method allowing the user to 
retrieve exactly one out of n pseudo-random items (r*^, . . . , r"“^) chosen by the 
server. Then, SPIR can be solved by applying such a procedure and concur- 
rently applying PIR on (x°©r°, . . . , ©r””^). The pseudo-random sequence 

(r°, . . . ,r'^~^) is created in the following way. Represent i as a length-^ binary 
string (in this case, i = logn). Let (s°, s}), (s^, S 2 )) • ■ • > be £ pairs of 

independent keys to a pseudo-random function /, and define r* = ®j-ifsj{i) 

where sj = s^j . By letting the user choose one key from each pair (s°,sj), the 
user can learn any selected r*, but no more than one r®. A SPIR protocol con- 
structed via the above method keeps all but a single data item cc® semantically 
secure from the user. More precisely, it is possible to simulate the view of a user, 
whose log n selections define an index i, based on a;® alone (up to computational 
indistinguishability) . 

Conditional Disclosure of Secrets. Motivated by the problem of constructing 
efficient SPIR protocols in the multi-server setting, Gertner et al. mi suggested 
the following conditional disclosure primitive. An input string y to a, public 
Boolean predicate C is partitioned among k servers, such that no server knows 
the entire string y. In addition, one of the servers holds a secret s. The goal of the 
servers is to each send a single message to a user, who knows y, such that the user 
will learn s if C{y) = 1 and otherwise will learn no information on s. To make 
this possible, the servers have a common random input r which is unknown to 
the user. In m, the problem is reduced to linear secret-sharing. It is shown that 
the communication complexity of conditional disclosure as above is linear in the 
span program size of C (and in particular in the formula size of C) . If the user is 
allowed to “help” the servers by secret-sharing a witness to the validity of F{y) 

® This problem is very similar to (")-OT, except for a different multi-server model 
and the focus on sublinear communication. 
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between them (without letting individual servers learn additional information 
on y), the communication can be made linear in the circuit size of C. Moreover, 
these solutions were efficiently extended to the non-Boolean case, where y is a 
string over a large field, and the condition C tests whether y satisfies some linear 
equation over F (or more complicated predicates over such atomic conditions). 

A main ingredient of our protocol is an almost exact adaptation of the above 
conditional disclosure scenario to the single-server setting. In our setting, y will 
always be viewed as a vector over a large field F = Zq. Instead of partitioning 
y = (yi, . . . ,ym) among several servers, a single server holds a public key k, 
the encryptions Ek{yi), ■ ■ ■ ,Ek{ym), and a secret s € F. The user holds both y 
and the secret key corresponding to k. An important observation regarding the 
solutions to the multi-server conditional disclosure problem mentioned above is 
that the joint messages sent by the servers may be expressed as a random linear 
function of (y,s), where the distribution of this linear function depends only 
on C. Therefore, if the encryption scheme E is homomorphic, the server may 
compute an encryption of these messages from Ek{y). Instead of formulating 
our solutions in a general complexity-theoretic terminology, we will solve the 
required instances along the way in an intuitive way. 



3 Solving the Problem 

In this section we describe our solutions for the priced oblivious transfer problem. 
For the sake of presentation, we develop our solutions gradually and improve 
their efficiency along the way. In particular, the only operation we consider at 
first is ‘buy’. We deal with subscription operations in Section 0 

Establishing a Public-Key Meta Strueture. As described in introduction, during 
the entire run of our protocol the vendor will maintain an encryption of the 
buyer’s current balance (using the public key of the buyer). Let E, D and G 
be the encryption, decryption and key-generation algorithms respectively. In the 
initialization phase of the protocol (time 0), the buyer applies G to sample a 
public-key, secret-key pair {k, sk) and sends the public-key k to the vendor. The 
vendor needs to verify that k is indeed a valid public-key and that the buyer 
knows a private- key sk that corresponds to k. Therefore, the buyer also proves 
in zero-knowledge that it knows an input of G that generates the public key 
Finally, the vendor sets the current balance 6*^°^ to the initial deposit of the 
buyer and creates an encryption Ei^{b^^^) of the balance. 

The first challenge in designing our protocol is that, at each transaction, the 
vendor needs to update the encrypted balance Ek{b) by some value p without 
knowing either b or p. It should not be surprising that in order to do so it is 
useful to let A be a homomorphic encryption. Recall that we assume that the 
plaintexts are taken from a group Gq of order Q, where Q is a prime of length 
K. Under our additive notation, it is convenient to view Gq as the field E = Zq. 
^ Suppose that the encryption scheme enjoys the verifiability property discussed in 
Section rz.:-il In this case, if the vendor is willing to settle on a somewhat weaker notion 
of security, it can verify the validity of k on its own instead of letting the buyer prove 
this validity as above. We use this fact in our one-round oblivious transfer (where 
we cannot afford the additional rounds required for the zero-knowledge proof). 
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Representations. We assume for simplicity that the length of each data item x‘‘ 
is smaller than the security parameter k. Even if this is not the case, our problem 
can be reduced to that of selling keys which encrypt the actual data. We take 
B — 2^ to be an upper bound on the initial balance, where B < Q. This allows 
to represent prices and balances as elements of F by identifying (in the natural 
way) each integer i in the interval [B — Q, B — 1] with the corresponding element 
of F. Thus, the elements 0,1, . . . , B — 1 G F will be referred to as non-negative, 
and B, . . . ,Q — 1 as negative. In all of our protocols we will view a positive 
balance as being valid, and a negative balance as being invalid. If the buyer’s 
balance is negative, it should not be allowed to learn any additional information. 

3.1 Basic Solution 

We present a solution where each transaction (here, a single ‘buy’ operation) 
requires two passes of communications: (1) A message from the buyer; (2) The 
vendor’s reply. This is optimal since even without privacy the buyer still needs 
to specify the item it wants to retrieve and the vendor needs to send this item. 

Assume without loss of generality that all item prices are distinct. (This 
assumption can be easily dispensed with at a moderate efficiency cost, e.g. by 
replacing each price p® by B'p^ — i for a sufficiently large B' , and scaling the 
initial deposit by a factor of B' .) The most essential part of the buyer’s message 
is an encryption Ek(p) where p is the price of the item it wants to retrieve. The 
vendor needs to perform two operations: (1) Update the balance; (2) Send back 
(in some encrypted form) the item x’ such that p = p’' . 

Updating the Balance. Since the vendor has an encryption of the current balance 
Ek(b) and it received an encryption Ek{p) of the retrieved item’s price, it seems 
that updating the balance is not a problem. Simply create an encryption Ek{b—p) 
of the new balance using the homomorphism of E. However, we should be careful: 
By setting p to be negative (e.g. b — B + 1), the buyer can arbitrarily increase 
its balance (this is of course undesirable, regardless of whether in this specific 
transaction the buyer gains any information). 

One way to prevent the buyer from cheating in this manner is to require it 
to prove in a zero-knowledge fashion that 0 < p < b. Such a solution requires 
more passes of interaction than desired. A better solution in this respect is for 
the buyer to use non-interactive zero-knowledge proofs of this claim (for that the 
buyer and vendor can agree upon a random string in the initialization phase of 
the protocol). However, non-interactive zero-knowledge proofs are usually very 
inefficient and we therefore give in Section 1.3 ..SI an alternative (more efficient) 
solution. Jumping ahead, the vendor in the revised protocol will not try to 
verify that p is in the right range but will rather make sure that any such 
violation on the part of the buyer will cripple all future interactions. We note 
that PI gives an efficient zero-knowledge proof to a related problem, of proving 
that a committed number lies in a an interval. However, the problem we solve 
(and hence our machinery for solving it) is easier. 

Sending an Rem. We now assume that 0 < p < b and that the balance was 
updated by the vendor. All that is left is for the vendor to “send” an item x’ 
such that p = p’’ (if such an item exists). 
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The vendor’s message is composed of n (parallel) messages mP, m ^, . . . , 

For every j, the message allows the buyer to compute in case p = and 
gives the buyer no information ii p ^ p^ . Note that for a fixed j, what we have 
is in a sense an instance of conditional disclosure in a computational setting. 
The vendor wants to disclose the value conditioned on p = jp . For this 
simple condition (equality) the solution is very simple: For every j, the vendor 
uniformly samples G Zq and sets to be a (random) encryption E{(3^) of 
pj — Q,j ^ jg immediate that = x^ in case p = pd and is random 

in Zq a p (therefore, in this case the buyer gets no information on x^ in 
an information theoretic sense). 

Adapting the conditional disclosure methodology of El to the computational 
setting is one of the main tools of our solution. In addition to the example above, 
it is used extensively in Sections |^and0 

3.2 Reducing the Communication 

The protocol of Section 13.11 has the disadvantage that the vendor’s message is 
of linear length as a function of n (the number of items) . This in itself is a non- 
trivial task and for some applications may be sufficient. We now give a simple 
method for reducing the communication. In Section 13.51 we provide a method for 
reducing the communication which is superior in most settings of the parameters 
(but is slightly more involved). 

The main observation for reducing the communication is simple: If the buyer 
wants to retrieve item x’' then the only part of the vendor’s message it needs 
is the value to* (in fact, the rest of the message is useless). Therefore, instead 
of getting the entire sequence, mP, mP , . . . , the buyer can just retrieve to* 

using a PIR protocol (where we view the vendor’s message as a database of n 
records). Note that in this case PIR is sufficient since security is preserved even 
if the buyer learns the entire sequence. 

3.3 Avoiding Zero-Knowledge Proofs 

In the protocol of Section EB the buyer sends an encryption Ef^(p) and proves 
in zero-knowledge that 0 < p < b. This was important for two reasons: (1) To 
prevent the buyer from learning a:* with p’’ > b in the current transaction] (2) 
To prevent the buyer from increasing its balance (in order to gain additional in- 
formation in future transactions). However, as discussed above, both interactive 
and non-interactive zero-knowledge proofs are not efficient enough for our needs, 
and are in a sense an overkill. We now show how to replace zero-knowledge proofs 
with conditional disclosures. In these solutions, the vendor will not be able to de- 
tect a value p that is outside of the range [0, b]. Nevertheless, each such violation 
will prevent the buyer from learning any additional information. 

The idea is simple. At the t-th transaction, the vendor will sample a random 
mask V* and a random receipt u*. The vendor will disclose v* and u* under the 
condition that 0 < p < b. The value v*' will be used to mask the interaction 
in the current transaction (i.e. instead of retrieving a:* the buyer will retrieve 
a;* -|- r;*). The value rt* will be used as a receipt for future interaction - knowing 
rt* implies that the buyer behaved correctly until now. 
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A naive way to use the receipt it* is to require the buyer to send it at the 
beginning of the next transaction. As it turns out, this solution may compromise 
the privacy of the buyer against a malicious vendor. We therefore use a chaining 
technique: at the t-th transaction the buyer will also send an encryption Ek{u). 
The vendor will disclose u* and ii* under the condition (0 < p < &) A (it = it*“^). 
We note that other methods of chaining are possible in this scenario. However, 
we find this particular solution appealing, both from a conceptual point of view 
and because it allows to maintain statistical vendor’s security. 

One may view this kind of chaining as an ongoing proof of the buyer that it 
behaves correctly, where the proof never gets to its conclusion (i.e. convincing 
the vendor). This kind of a technique may be useful in other scenarios. 

It remains to show how to perform the more involved conditional disclosure 
needed here. We already saw how to perform conditional disclosure for equality. 
This also implies a recursive way to perform conditional disclosure under any 
condition that can be described as a monotone formula where the leaves are 
equalities: Assume we know how to perform conditional disclosure under the 
conditions Ai and A 2 . To perform conditional disclosure of x under (Ai V A2), 
just perform two independent conditional disclosures of x — One under Ai and 
the other under A2. To perform conditional disclosure of x under (Ai A A2), 
sample a random mask r, disclose r under Ai and x + r under A^. 

To perform a conditional disclosure under the condition (0 < p < b) A {u = 
11*“^) it is enough to describe the condition 0 < p < 6 by a small monotone 
formula as above. For this purpose we will need some help from the buyer. Recall 
that B = 2^ is an upper bound on a valid balance. In its message, the buyer 
will send separate encryptions of the bits 6f_i,...,&o and p^_i,...,po where 
bi-i ... 60 is supposed to be the binary representation of the current balance b 
and Pi -1 . . .po defines the price p (i.e. p = Note that the vendor can 

create an encryption of p from the encryptions of the bits pi . The condition 0 < 
p < 6 is implied by the conjunction of the following conditions: (1) 5 = 

(2) 6 f_i, . . . , 60 and pe-i , . . . ,po are all bits; (3) p < 6 when p and b are viewed 
as integers. It is well known (and rather simple) that (3) can be represented 
as a monotone formula of size 0{i) with leaves that are equalities (in the bits 
bi_i , . . . , bo,pi-i , . . . ,Po and the constants 0 and 1). We may therefore conclude 
that 0 < p < b can also be represented as such a monotone formula of size 0{£). 

3.4 Putting the Pieces Together 

The ideas presented so far already combine into a protocol that satisfies the 
specification of Section EH has the desired communication pattern, and is rela- 
tively efficient. This protocol is still not the most efficient we propose (significant 
improvements are described in Section and it does not handle subscriptions 
(which are dealt with in Section^. Nevertheless, since most of the ideas al- 
ready appear in this solution, we now give a short summary of the protocol and 
informally discuss its properties. 

The Protocol. 

Initialization. The buyer applies the key generator G to sample a public-key, 
secret-key pair (fc, sk) and sends the public-key k to the vendor. The buyer also 



130 Bill Aiello, Yuval Ishai, and Omer Reingold 



proves in zero-knowledge that it knows an input of G that generates the public 
key k. The vendor creates an encryption of the initial balance 6^°^. 

Finally, both set vP to be some predefined string (e.g. the all zero string). 

Buyer (Time t > Oj. The buyer’s message is composed of (1) Ek{u) {u is sup- 
posed to be (2) Ek{h-i), ■ . . ,Ek{bo) and Ek{pe-i), ■ . ■ ,Ek{po), where 

bi-i .. .bo is supposed to be the binary representation of the current balance 
and pi-i ■ ■ - Po the binary representation of the price p®; (3) A PIR query 
q for the index i. 

Vendor. The vendor computes an encryption of p = '^jPj‘2-^ and creates an 
encryption of the new balance 5*^*^ = — p. It samples two keys u* and u* 

uniformly at random in E and discloses both under the condition (6 = bj2^)A 
(0 < p < 6) A (it = it*“^). For every j, the vendor computes which is the 
conditional disclosure of + u* under the condition pp = p. Finally, the vendor 
answers with the PIR answer to the query q for the database (m°, . . . , 

Buyer’s Output. The buyer retrieves m® and computes a:® (which is its output 
for this transaction). In addition, the buyer recovers and stores it* for future 
interaction and also remembers the new balance. 

Properties. 

Correctness. For honest buyer and vendor is straightforward. 

Buyer’s Security. Follows from the semantic security of E since all the (even 
malicious) vendor sees at each transaction is a fixed number of encryptions. That 
is, a simulator for the view of V* may first simulate the initialization stage, and 
then produce an appropriate number of encryptions for each transaction. 

Vendor’s Security. For any buyer B*, even malicious and unbounded, there ex- 
ists an efficient simulator S, with black-box access to B*, that produces an 
output which is statistically close to the view of B*. The simulator invokes 
B* and simulates its conversation with V. The first step is to extract (using 
the zero-knowledge extractor) the secret-key sk that corresponds to k. Given 
this information, the rest of the simulation is fairly trivial. The only point 
that needs arguing is that starting at the first time t for which the condition 
(6 = bj2^) A (0 < p < 6) A (it = it*“^) is violated it will be violated at all 

subsequent transactions (with overwhelming probability). 

Efficiency. Excluding the PIR protocol, the buyer performs 0{€) public-key 
operations and its message consists of 0{€} encryptions. The vendor however 
is much less efficient — it performs 0{n) public-key operations (to create the 
messages rffi). The vendor’s message consists of a PIR reply for the database con- 
taining the strings . This in itself already seems optimal: Any solution to our 
problem will in particular give a PIR protocol for the database 
Therefore, we cannot expect to have communication which is smaller than that 
of a PIR protocol. However, here the strings can be significantly longer than 
the strings x ^ , which may result in a communication blowout . In Section l.3.,^l we 
show how to achieve savings in both the communication and work on the part 
of the vendor. 
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3.5 Additional Improvements 

We now describe a modification of the protocol of Section 13.41 that typically 
improves its performance. The alternative approach is especially natural in the 
case where the vendor only sells keys encrypting the data, and the encrypted data 
is accessed by other means (e.g., via broadcast, or a PIR protocol). We assume 
that these keys are refreshed at each transaction (in particular, we would not 
like the buyer to get all values of x® after buying it once) and describe the 
modification in this setting. 

The keys that the vendor will sell are a carefully chosen subsequence of the 
Naor-Pinkas pseudo-random sequence (see Section ITTHl . Let £ be as above (i.e. the 
length of the binary representation of prices). Let (sq,sJ), (s°,s(), . . . , (s°_;^,s]_;^) 
be £ pairs of independent keys to a pseudo-random function /, and let {fc^}ze{o,i}'^ 
be the Naor-Pinkas sequence that is generated by these £ key pairs. 

The idea is the following. Let the j-th key that the vendor sells be the element 
of the Naor-Pinkas sequence indexed by the price p’ of this key (i.e. the element 
kP^y This slightly unusual choice (the more natural choice seems to be taking 
the j-th key to simply be k^ ) is the main observation of the revised protocol. To 
make it even more compatible with our solution, we let the j-th key at time t be 
kP^ -I- yt (recall that the sequence {k^}ze{o,i}‘ is refreshed at each transaction). 
We can now consider the following adjustment in the protocol. 

The buyer sends almost the same message as before (there is no need to send 
the PIR query). Recall that as part of its message, the buyer sends encryptions 
of the bits of the price Ek{pe-i), . . . , Ek{po)- The vendor updates the balance 
and discloses v* and u* as before. In addition, for every Q < j < t and a G {0, 1}, 
the vendor discloses sj conditioned on pj = a. Recall that given the £ keys 
{s^Ei ■ ■ •So°)> buyer can compute whereas the rest of the sequence (i.e. 

for z p) remains pseudo-random. This implies the security of the protocol. 

As for efficiency, we have that the 0{n + £) public-key operations of the 
previous protocol are reduced to 0{£) public-key operations, plus at most n£ 
private-key operations. The above excludes the computational cost of PIR, which 
depends on its specific implementation. In terms of communication, both the 
buyer and the vendor need only to send 0{£) encryptions, and in addition to 
invoke a PIR protocol on a database which is now of an optimal size (since here 
each item is masked with a pseudo-random string of the same size). 

4 Subscription 

Recall that our motivation for letting the buyer issue a “subscribe” request is 
to allow efficient one-way communication from the vendor to the buyer. In this 
abstract we will sketch a relatively simple solution to this problem. A more 
efficient solution, whose details can be found in the full version, will be briefly 
discussed at the end of this section. 

Subscribing. As in the previous protocol, B sends to V encryptions of the bits 
of p = p® and b. In addition, B picks a value r, 0 < r < 2^, which is assumed 
to be a length of a prefix of the i-th channel it is entitled to buy, and sends 
encryptions of the £ bits of r. An honest buyer can let r = \h/p\, regardless of 
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the intended subscription length. V discloses a mask v and a receipt u subject 
to the condition (0 <)r ■ p <= b, and a key encrypting the future contents of 
the channel indexed by p. An efficient implementation of the former disclosure, 
which requires some additional help from B, will be described later. As before, kP 
and V will be used to encrypt the received data during the current subscription, 
and the receipt to cripple future transactions in a case of cheating. 

Maintaining a Subscription. At the t-th transaction following a subscription, 
each channel will further be masked with a key Vt, which will be disclosed subject 
to the condition t < t. Note that this does not require the help of B, since the 
encrypted bits of r are given to the vendor during the initialization. 

Unsubscribing. If B unsubscribes after T transactions, V deducts from its balance 
the amount T ■ p (note that this can be done efficiently from the public value 
T and the encrypted values of p, b) . If the buyer’s balance turns negative (by 
failing to unsubscribe before depleting its balance), all its future transactions 
will automatically be crippled @ 

It remains to describe the implementation of the conditional disclosure in 
the subscription procedure described above, namely a disclosure subject to the 
condition t - p < b. The fact that the underlying field F is large allows to obtain 
much greater efficiency than that obtained by emulating a Boolean multiplication 
circuit. The disclosure procedure proceeds as follows. B will provide, as additional 
help, encryptions of ae-i = (t^_i 2^“^) • p, . . . , oq = (t'o2°) ■ p. If B acts honestly, 
these should sum up to the product t ■ p. To guarantee that each aj is valid, 
observe that V can compute the two possible valid values of aj, and disclose to 
B a mask subject to the condition that aj is indeed consistent with the value 
of Tj. That is, the j-th conjunct in the condition is of the form: (r^- = 0 A aj = 
0) V {Tj = 1 A aj = 2^p). Finally, using the methods of the previous section, an 
additional mask will be disclosed subject to the condition X] — P (note that an 
encryption of ^ aj can be computed by the vendor alone). As before, the latter 
conditional disclosure will require B to send the encrypted bit representation of 
the sum. This concludes the description of the conditional disclosure procedure, 
and thus of the entire subscription protocol. 

Efficiency. Both initializing a subscription and each subsequent transaction re- 
quire 0{£) public-key operations, with communication consisting of 0{£) en- 
cryptions. In comparison to the implementation of a “buy” operation from the 
previous section, initializing a subscription is more expensive, but maintaining 
it is significantly cheaper. 

A More Efficient Protocol. In a typical case where subscriptions are more fre- 
quently maintained than initialized, it is important to optimize the efficiency of 
the procedure for maintaining a subscription. In particular, it is desirable to avoid 
public-key operations altogether. In the full version of this paper we describe an 
implementation which achieves the above goal. In the core of this solution is 
an efficient subprotocol, performed during the subscription initialization stage, 
which allows B to effectively learn a prefix of length r from a pseudo-random 
key sequence of length 2^. This subprotocol may be of independent interest. 



® We assume here that |F|/2^ is sufficiently large to make a balance wraparound 
infeasible. This assumption holds for any reasonable choice of parameters. 
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5 One-Round Oblivious Transfer 

Oblivious Transfer (OT) (l^bllUdj may be viewed as the simplest atomic building 
block for general secure computation HS|. OT is a 2-party protocol between 
Alice and Bob. In its most common variant, also known as (J)-OT, Alice holds a 
selection bit b and Bob holds a pair of secrets x^. At the end of the protocol, 
Alice should output x’’ and learn no information on x^~^, and Bob should output 
and learn nothing. 

As a special case of our general methodology, we obtain an efficient 1-round 
OT protocol which satisfies a reasonable security definition. Unlike a previous 
construction of Q which is not known to be secure under a standard compu- 
tational assumption (i.e. without using the random oracle methodology), our 
construction can be based on the standard DDH assumption. A similar con- 
struction (and definition) has been independently proposed by Naor and Pinkas 
m- For lack of space in this extended abstract, we only briefly describe the 
protocol and discuss its security features. 

Our (^)-OT protocol naturally extends into a more general (")-OT proto- 
col (where Alice retrieves one of n secrets held by Bob). We therefore directly 
describe our solution in this setting. 

5.1 (”)-OT Protocol 

Each transaction of a priced oblivious transfer protocol trivially implies an OT 
protocol. However, in our one-round implementations of such a transaction we 
assumed an initialization phase, which is not part of the setting in a standalone 
OT protocol. In fact, one part of the initialization phase will also be part of our 
OT protocol: Alice still needs to sample a public-key, secret-key pair (fc, sk) and 
send the public- key k to Bob. Moreover, Bob still needs to verify that k is valid. 
However, in this case Alice cannot prove that k is valid (there is just not enough 
interaction). We therefore assume that the underlying homomorphic encryption 
scheme enjoys the verifiability property discussed in Section 12. 31 as is the case 
for the El-Gamal scheme. For such an encryption scheme. Bob can verify on its 
own that k has a corresponding secret key sk (although Alice may not know this 
key). We can now define our basic (")-OT protocol: 

Alice invokes G to sample a public-key, secret-key pair {k,sk). She then sends 
to Bob the public-key k and a random encryption c = E]^(i) of i. 

Bob verifies that fc is a valid public key and c is a valid encryption. In such a 
case, for every j £ [n]. Bob computes which is the conditional disclosure of 
x^ conditioned on j = i (i.e. is a random encryption of a^(i — j) + x^ for a 
uniformly distributed element of F). Bob sends mP , . . . , m^~^. 

Alice decrypts rrii = E{x'’) and outputs a:*. 

Security. Various definitions of security for OT have been proposed. The most 
widely accepted are those relying on a general framework for defining secure 
two-party computation (cf., I till 21 1. We are unable to obtain this level of security 
while preserving the minimal number of rounds in our protocol. In a nutshell, 
the security definition satisfied by the above protocol relaxes the simulation- 
based definition of [til 1 2\ in two ways. First, the simulator for Alice is allowed to 
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be computationally unbounded (yet its simulation quality is perfect or statisti- 
cal rather than computational). This may be interpreted as saying that Bob’s 
security is purely information theoretic. Second, the simulator for Bob should 
simulate Bob’s view alone, without considering its correlation with Alice’s out- 
put. In particular, we do not require that a cheating Bob knows the input to 
which Alice’s selection effectively applies. We feel however that the notion of se- 
curity we achieve is perfectly suitable for OT, either as a standalone application, 
or in more general “information-retrieval” contexts such as the one studied in 
this work. Next we analyze the security of the above protocol. 

The view of a possibly cheating Bob only contains a random public-key and 
a (random) encryption. Therefore, the semantic security of E implies that this 
view can be simulated. The view of a possibly cheating Alice (even an unbounded 
one) can be perfectly emulated by an unbounded simulator. The simulator first 
computes the private key sk that corresponds to k (if such a key does not exist. 
Bob would refuse to interact with Alice). Note that this requires the simulator 
to be unbounded. Now there exists at most a single i for which c = Ek{i). If such 
an i exists the simulator queries for a;* and defines nrd to be a random encryption 
of a;®. For all other j, the simulator defines to be a random encrjytion of a 
random element. It is easy to verify that this is a perfect simulationQ 

Efficiency and Improvements. Alice’s work consists of sampling a key and 
a constant number of public-key operations. Bob performs 0{n) public-key op- 
erations and its message contains n encryptions. However, the improvements in 
efficiency that are described in Sections |E| and |E1 apply also in the contexts of 
the OT protocol. We omit the details in this preliminary version. 
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Abstract. Known practical blind signature schemes whose security 
against adaptive and parallel attacks can be proven in the random oracle 
model either need five data exchanges between the signer and the user 
or are limited to issue only logarithmically many signatures in terms of 
a security parameter. This paper presents an efficient blind signature 
scheme that allows a polynomial number of signatures to be securely is- 
sued while only three data exchanges are needed. Its security is proven in 
the random oracle model. As an application, a provably secure solution 
for double-spender-traceable e-cash is presented. 



1 Introduction 



Blind signatures are a key part of some information systems that offer both user 
privacy and data authenticity. Such systems include anonymous electronic cash 
and electronic voting as typical examples. The notion of blind signatures was first 
introduced by Chaum in m with the first scheme based on RSA. Later, some 
discrete-log based signature schemes were turned into blind signatures [12411 012 1| . 
For some applications, extra functionalities, such as partial blindness and 

revocability ECU, were added. A secure blind signature scheme should be one- 
more unforgeable against adaptive and parallel attacks. Namely, users should not 
be able to produce more signatures than legitimately issued. 

There are some theoretical results on the security of blind signatures USEHEa. 
In |22| , a formal security definition and a secure scheme were introduced, though 
the scheme was rather impractical compared to ordinary signature schemes in 
real use. In 123201, Pointcheval and Stern proved that one type of efficient blind 
signature schemes, which includes Okamoto-Schnorr 1231 and Okamoto-Guillou- 
Quisquater I2D1 signatures, to be secure in the random oracle model Ej as long as 
a logarithmic number of signatures were issued. Later, m introduced a generic 
adaptation that renders logarithmically secure blind signature schemes into se- 
cure ones with polynomially many signatures. Its cost is two additional data 
transfers. As the underlying schemes require three data transfers, the resulting 
schemes need five moves of data between the signer and a user. In m, Schnorr 
and Jakobsson argued the security of the Schnorr blind signature in the random 
oracle model with a strong assumption; the attacker is generic, i.e., restricted 
to use the group operation only. In \n\, Fischlin pointed out some pitfalls that 
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could be found between the generic adversary plus random oracle model and the 
reality. 

This paper presents a blind signature scheme that needs only three data 
moves and provides polynomial security, i.e., one-more unforgeable even if poly- 
nomially many signatures are issued in an adaptive and concurrent manner. The 
security is proven in the random oracle model. The scheme remains practical as 
it requires only three to four times more computation than the original Schnorr 
signatures m- 

Another advantage of our scheme is its potential support of protocols that 
need additional functionality. By following the idea of |S| , one can easily extend 
our scheme to be partially blind schemes. Furthermore, it is shown that a variant 
of our scheme gives a provably secure solution for double-spender-traceable elec- 
tronic cash systems. Note that such e-cash schemes in the literature, e.g. mm, 
rely on a variant of blind signatures called restrictive blind signatures 0, whose 
security has been proved only under non-standard and strong assumptions and 
only against certain restricted attacks |H1 while our solution withstands the most 
general attacks. 

2 Security Definitions 

Blind signature schemes have two aspects of security; blindness and one-more 
unforgeability. Let (Q,S,U,V) be a blind signature scheme where Q is the key 
generation algorithm, S and U are a signer and a user, respectively, and V is 
a verification algorithm (refer to 1221 for a formal definition of blind signature 
schemes) . 

Definition 1. (Blindness) Let S* and T>* be a signer and a distinguisher. Let 
viewQ and viewi be views of S* during executions of the signature issuing pro- 
tocol where honest user U obtains valid signature-message pairs (Uq, msgo) and 
(£^i, msgi), respectively. Given {viewo, viewi, St, msgb) for b Gu {0,1}, T>* out- 
puts b' G {0,1}. A signature scheme is blind if, for all polynomial-time S* and 
T>* , b' = b happens with probability at most 1/2-1- l/n‘^ for sufficiently large n 
and some constant c. The probability is taken over the coin flips of Q, S* , T>* 
and U. 

Note that our scheme provides computational blindness defined as above while 
some of the previously known schemes achieve perfect blindness where the success 
probability of unbound T>* is exactly 1/2. 

Definition 2. (One-more unforgeability) A blind signature scheme is 1) 

unforgeable if for any probabilistic polynomial-time algorithm U* , U* outputs 
£ -|- 1 valid signatures with probability at most l/n° for sufficiently large n and 
some constant c after interacting with legitimate signer S at most t times in an 
adaptive and concurrent manner. The probability is taken over the coin flips of 
G, S, and U* . 

In the random oracle model, these success probabilities also depend on the choice 
of random oracles. 
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3 The Proposed Scheme 

3.1 Underlying Idea 

The proposed scheme is based on the partially blind signature scheme of |3|. 
Roughly, their scheme is a witness indistinguishable variant of the Schnorr sig- 
nature scheme where the signer uses two public keys y{= g^) and z(= g“), which 
we call the real public key and the tag public key, respectively, in such a way that 
the signature can be issued only with real secret key x but no one can distinguish 
which secret key, i.e., x or w, was used. Their scheme then allows the signer to 
sign with several different tag public keys to achieve partial blindness. It was 
proven that the same tag key could be used only for logarithmically many signa- 
tures but the signer could use polynomially many tag keys. Accordingly, if the 
signer generates a one-time tag key each time he signs, it achieves polynomial 
security, though the blindness is lost. 

Our scheme follows the above approach with additional ideas to retain blind- 
ness. It allows the user to blind the tag public key so that the resulting signature 
can be verified with the real public key provided by the signer and the blinded 
tag public key provided by the user. However, if the blinding is perfectly done and 
the resulting tag public key just looks like a random public key, the user could 
himself generate such a signature by arbitrarily creating the tag key and exploit- 
ing witness indistinguishability. Accordingly, we restrict the blinding so that the 
resulting blinded tag key maintains a link to the original one but the link is com- 
putationally hidden. Namely, our scheme provides computational blindness. The 
main idea to realize this property is to use a pair of tag public-keys, say {z, zi), in 
such a way that z is fixed and zi is changed for every signature. The user blinds 
them into (C, Ci) = ^ zj) with random factor 7 so that log^ zi = log,- Ci holds. 

Accordingly, (C,Ci) preserves the relation that underlies (z,zi). The blindness 
is now provided if the signer cannot decide whether (z, zi,f,(i) is in such re- 
lation or not. Some more tricks are added to force the user follow the blinding 
procedure to get valid signatures. 

This restrictive blinding stealthily preserves the link between each valid sig- 
nature to a particular execution of the issuing protocol. Thus, ii (.+ 1 signatures 
are generated after i executions of the signing protocol, there exists an execu- 
tion that yields at least two signatures. Accordingly, we only need to consider 
the possibility of yielding two signatures from one issuing, which results in more 
efficient reduction than the previous results. 

3.2 Construction 

Let Q he & probabilistic polynomial-time algorithm that takes security parameter 
n and outputs {p, q, g) where p, q are large primes that satisfy q\p — 1, and g is 
an element of whose order is q. By (g), we denote a prime subgroup in 
generated by g. Let Hi : {0, 1}* — >■ (g), H 2 ■ {0, 1}* — >■ (g), and H^ : {0, 1}* — >■ 
Zq be hash functions. We assume that it is hard to compute the discrete log of 
the outputs of "Hi and H 2 - Such hash functions may be constructed in practice 
as SHA(str)*^P“^)/'J modp allowing negligibly small error probability [ 3 . 
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Signer 

x,z,g,h 



User 

y,z,9,h,m 



rnd €u {0, 1}* 

zi = W2(rnd), Z2 = zjz\ 

u, si, S 2 , d Gu Zq 

6i &2 = 



rnd, a, 6i, 62 



e 

c = e — d mod q 

r = u — cx mod q , 

r, c, si,S2, d 



&i,&2 e {g) 
zi = H2(rnd) 

7 

C = Cl = (2 = C/Ci 

fli ^2, is, ^4, ts f=t7 
a = ag^^y ^‘2 

/?! /?2 = 62 "'/i*^C 2 ‘" 

1" Zq 
?7 = z’’ 

e = %(CIICi||a||/3i||/32h||m) 

e = e — t2 — ti mod q 



p = r + ti mod q 
Tu = c + t2 mod q 



ai = 7S1 -I- ts mod q 
0-2 = 7S2 -I- ts mod q 



VJ 



+ 5 = iH3(CIICi||5^i/ 



5 = d + ti mod q 
p = T — 5 'y mod q 

"’ll<?"^Ci"ll^""C2"lk"C" 



m) mod q 



^ 

(C>Ci>Pi1^>'1'1iO'2,(5, p ) 



? ? 

Fig. 1. The signature issuing protocol. The user aborts if any of the checks (=, g) fails. 



[Key Generation] 

The signer executes (p,q,g) G- and selects h Gu (g), x Gu 2Zq. It 

then computes real public-key y and fixed tag key z as y = g^ mod p and 
z = 'Hi(p||g||g||/i||y), respectively. If z = 1, abandon the key and retry. The 
public key is {p, q, g, h, y, z), and the private key is x. 

[Signature Issuing] 

Here we overview the signature issuing protocol at a higher level. The details 
are illustrated in Figure ^ Hereafter, all arithmetic operations are done in Zp 
unless otherwise noted. 

Signer 5: S generates a random string rnd and a one-time tag key zi = 7^2 (rnd). 
Sending rnd convinces U that logg zi is not known to S. Then Z 2 is computed so 
that z = zi • Z 2 holds. The rest of the issuing protocol consists of two parts: 
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— y-side: Proof of knowledge x of y = and 

— z-side: Proof of knowledge (wi,W2) of zi = Z2 = . 

Since z-side witness is not known to S, the z-side proof is done by simulation as 
illustrated in Figure Q] by using the OR-proof technique of HSl. Accordingly, S 
can complete the protocol only with j/-side witness x. 

User U'. U blinds and converts the y-side proof into a signature in the same 
way as done in Schnorr blind signatures l^nnn . For z-side, U blinds z, zi, Z2 into 
('j Cl, C2 by raising them with random factor 7. The proofs for zi, Z2 given from 
S are also blinded, and then converted into signatures in the standard way with 
adjustment for the effect of 7. U then creates an additional Schnorr signature 
that proves ( = z'^ . 

The resulting signature S is 8-tuple S = (C, Ci^Pi 0'2, < 5 , yt) that proves 

the knowledge of log^ y V (log^ Ci A log^(C/Ci) A log,, (). 

[Signature Verification] 

A signature message pair (A, m) is valid if it satisfies C ^ 1 and 

zu + S = mod q. 



4 Security Proofs 

4.1 Correctness 



Theorem 1. If the signer and the user follow the issuing protocol, the resulting 
signature satisfies the verification predicates with provability 1. 

Proof. Observe that the following holds. 



■w + S = c + t2 + d + t4 = e + t2 + t4 = e (mod q) 



gPy^ ^ gr + t,yC+t, 



= gr+c.gt,yt, ^ag^-y^- = a 



= /3i 

h'^^C./C.iY = h'^"=+‘"C2+‘" = {b2zfyh^%^-^^^ = blh^%l^ = f32 



Furthermore, C ^ 1 holds as 7 yf 0 when the user is honest. 



□ 



4.2 Blindness 

Theorem 2. The proposed scheme is blind if the decision Diffie- Heilman prob- 
lem is intractable and Hi, H 2 , are random oracles. 

Proof, (sketch) Suppose that {S*,T>*) is successful in breaking blindness with 
probability 1/2 -|- e where e is not negligible. Let tg be the maximum running 
time of T>*, which is also polynomially bound. We show that S* can be used 
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to solve the DDH problem. Define V'H = {(Xi, X2, Xa, X4) G (5)"^! logjf^ X2 = 
log;f3X4} and 7^ = {(Xi, X2, X3, X4) G {gf}. Let {A,B,C,D) G {gf be a 
DDH instance, which is taken from VH or TZ with equal probability. Given such 
an instance, first define Hi so that z = A. Select b Gu {0, 1} and engage in 
the issuing protocol with S* twice. Label the executions rurio and rurii. Define 
H 2 so that zi = i? in rurih, and z\ Gjj (g) in rurii_{,. Follow the protocol in 
both run. Then, generate a signature-message pair (X, m) that includes {(, Ci) = 
(C, D). Other variables in X are generated by using the standard zero knowledge 
simulation technique; randomly choose p,vj,cri,a 2 ,S^ fx, and then define so 
that it looks consistent. Given (X, m) and views from S, distinguisher T>* outputs 
b'. If b' = 6, we conclude that the instance is in VH. It is in 72., otherwise. 

Observe that if {A, B,C, D) G 'D'H, X is a valid signature that can be pro- 
duced in rurib, since log^ zi = log^^ B = log<^ D = log^ Ci there exist blinding 
factors G, ^3) O) ^5 that convert the view of ruPf, into X0. On the other hand, 
X cannot be produced from rurii_f, since log^, zi yf log^- except for negligible 
probability. Therefore, given X, V* outputs correct b with probability 1/2 -|- e. 
Next, observe that if {A, B,C, D) G 72, X cannot be produced in either runo 
and ruPi since log^ zi yf log^^ Ci tor both runs except for negligible probability. 
Hence, b is independent of X, and b' = b happens with probability 1/2. Thus, 
the success probability in DDH problem is l/2(l/2-|-e) -I- l/2(l/2) = 1/2-1- e/2, 
which contradicts to the DDH assumption when e is not negligible. Note that 
77* may not terminate in time tg if the instance is in 72. However, this is also 
to our advantage since we can see that X is not a proper input to 77* and the 
instance is in 72. 

Finally, note that if S* chooses the same rpd in both executions, the result- 
ing signatures are perfectly indistinguishable as there exist consistent blinding 
factors for any combination of the views and signatures. □ 

Note that the blindness relies on the decision Diffie-Hellman assumption over 
the public key of the signer. This suggests that an adversarial signer could choose 
p, q, g so that the DDH problem could be solved with those parameters. How- 
ever, as we shall show in the next section, one-more unforgeability is based on 
the discrete logarithm assumption. Therefore, choosing weak parameters to vi- 
olate blindness could result in the loss of one-more unforgeability unless DL is 
strictly harder than DDH. Nevertheless, it is beneficial for the users to verify 
that the public keys are generated and the hash functions are chosen so that 
those assumptions are likely to hold. There are several practical solutions for 
this matter. An inexpensive solution would be to use a widely believed secure 
hash function like SHA-1, and plug it into the source of randomness of Q so 
that the users can believe that there is no room for the adversarial signer to 
control the resulting parameters. It is also needed to check if y is in {g) and z 



^ This is why &i,fe2 G {g) has to be checked. Without this check, wrong 61,62 could 
produce a valid signature if 7 is a lucky choice. This results in a nonuniform distri- 
bution of 7 while the one that underlies the simulated signature follows the uniform 
distribution. 
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is correctly made. In practice these could be examined by a certificate authority 
at registration on behalf of the users. 

4.3 One-More Unforgeability 

Theorem 3. The proposed scheme is -I- l)-unforg cable for polynomially 
bound i if the discrete logarithm problem is intractable and Hi, H2, are ran- 
dom oracles. 

The proof is structured as follows. We first observe that the scheme is witness 
indistinguishable PS| (Lemma ^ , which helps us to simulate the signer with 
either y-side or z-side witness(es) to extract the witness of the other side. It 
is then proven that the user can blind {z,zi) into (CiCi) only in such a way 
that log-, f = log^j^ Cl to obtain a valid signature (Lemma El • We then show 
that creating a valid signature without engaging in the issuing protocol with the 
legitimate signer is infeasible (LemmaOl. From Lemma El and 0 one can see that 
if the user engages in the signature issuing protocol £ times and outputs £-1-1 
signatures, there exist at least two valid signatures linked to a particular run of 
the issuing protocol. So the rest is to prove that such a forger who is successful 
in producing two signatures from a single protocol run can be used to solve the 
discrete logarithm problem. 

Lemma 1. The signature issuing protocol is witness indistinguishable. 

The above lemma holds immediately according to m- Indeed, it is not hard 
to see that the issuing protocol can be completed if the signer knows either y-side 
witness x, or z-side witness (wi,W2) = (loggZi,log^ Z2). 

Hereafter, let run.i denote the label of z-th execution of the issuing protocol. 
We define z-side witness in rurii as {wu,W2i). 

Lemma 2. (Restrictive Blinding) Let Uq be a user that engages in the sig- 
nature issuing protocol £ times, and outputs a valid message-signature pair, 
{m, fjfi, p,zu,ai,a2, S, fT). Let zn denote Z\ used by S in rurii. For polynomially 
bound £ and for all polynomial-time ILq, the probability that log^, ( log^^. Ci 
holds for all i is negligible if the discrete logarithm problem is intractable and 
Hi, H2, H3 are random oracles. 

Proof idea: Suppose that log^ h is not known. We assign z = and 

{zij,Z2j) = {g’^^,h^^) for J £[/ {!,...,£} by defining TLi and 'H2 so. Since the 
signature contains proofs of C = Ci = C2 = we may be capable 
of extracting (^,w'i,w'2) by rewinding the user in the random oracle model. 
Once it is done, the condition log^ Q log^^^ Ci guarantees that we obtain two 
different representations of z, i.e., z = g'^^h^^ = , which allows us to 

compute logg h. For this to be done, we need to simulate S that issues £ signatures 
without knowing logg h. We do this with y-side witness x by exploiting witness 
indistinguishability. The problem is that, due to witness indistinguishability, the 
rewinding may result in extracting y-side witness x, which is already known. So 
we first flip a coin to decide with which witness, y-side or z-side, the simulation 
is performed, and expect that one of the following happens. 
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Fig. 2. The interaction among signer S, adversary fe/* , and random oracle H 3 . 



— Simulation is done with y-side witness (and z-side witness in run,/). Then 
another z-side witness is extracted by rewinding. This solves log^ h. 

— Simulation is done with z-side witnesses. Then y-side witness is extracted by 
rewinding. This solves log^ y. 

Proof. Assume that, having at most accesses to "Ha and asking at most 
i signatures to S, outputs signature {C,,C.i, p,zu,ai,a 2 ,S, y) that satisfies 
log^ Cl 7 ^ logzii Cl for * with probability eo which is not negligible in n. Here, 
qh and £ are bound by a polynomial of security parameter n. We randomly fix an 
index Q G { 1 , . . . , g?,} and regard as successful only if the resulting signature 
corresponds to the Q-th. query to "Ha. (If it does not correspond to any query, 
Uq is successful only with negligible probability due to the randomness of "Ha.) 
Accordingly, it is equivalent to assuming an adversary, say Uf, that asks Ha only 
once and succeeds with probability ei > eolqh- Figure |2| illustrates the interac- 
tion among the signer S, adversarial user and random oracle Ha- Given H*, 
we construct machine M 1 that solves the discrete-log problem by simulating the 
interaction. Let (p, q, g,Y) be an instance to solve loggY in Zq. 

Reduction Algorithm: A4i first sets {p,q,g) := (p, q, g). It then flips a coin 
X Gu {0) 1} to select either y :=Y (case x = 0) , or h :=Y (case x = !)• 

Case y = Y: (Extracting y-side witness) 

1. M.\ selects w,wo Gjj 2Zq and sets h := and z := Hi(p||g||g||y) = 

2. Adi runs U* simulating S with z-side witnesses as follows. 
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(a) Select Ci,ri Gjj TZq and compute Oj := 

(b) Select rndi Gu {0,1}* and wu Gu 2Zq and define 'H2(mdi) as 
Then compute W2i ■= {wq — wu)/w mod q. (Accordingly, zu = g'^^' and 
^2. = 

(c) Compute bu := and b 2 i ■= with uu,U 2 i Gjj TZq. 

(d) Send rndi, tti, 6ii, to 

(e) Given from compute di := mod g, Su := Uu — diWu mod q, 

and S 2 i '■= U 2 i — diW 2 i mod q. 

(f) Send rj,Ci,Sij,S2i,(i* to 

Ml simulates "Ha by returning e Gu ^q- 

3. lAl outputs a signature, say (C, Ci) P: (^2,5, y), that corresponds to e. 

4. Reset and restart with the same setting. M\ simulates 'Hz with e' Gu ^q- 

5. Ul outputs a signature, say (C, Ci, P^ ro', ct}, p 0> that corresponds to 
e'. 

6. If tz7 yf zu', Ml outputs X := {p — p')l{w' — zu) mod q. The simulation fails, 
otherwise. 

Case h = Y: (Extracting z-side witness) 

1. Ml selects x Gu and sets y := g"'. It also selects wi,W 2 Gu ^q and sets 
z:=ni{p\\q\\g\\y)=g'"^h-’G 

2. A4i selects / Gu (0, . . . ,^} and J G[/ (1, . . . ,£}. 

3. Ml runs id* simulating as follows. 

(a) For i ^ J, Ml follows the protocol with y-side witness, x. H 2 is simulated 
by returning random choices from (y). 

(b) For i = J, Ml engages in the issuing protocol using both y-side witness 
X and z-side witness {wi,W2) as follows. 

i. Define 'H2(i'ndj) so that z\j = and Z 2 j = . 

ii. Compute aj = y“-', bu = y“i-', 62J = with wj, uu, M2 j Gu ^q- 

iii. Send (rndj, aj, &u, &2j) toW{. 

iv. Given ej from choose dj Gu 2Zq and compute cj := ej — 
dj mod q, rj := uj — cjx mod q, su := uu — djWi mod q, and 
S2J ■= U2J - djW2 mod q. 

V. Send {rj,cj,sij,S2j,dj) toZY}. 

Ml simulates Hz by returning e Gu 'ZZq. 

4. U* outputs a signature, say (C, Ci) P: p), that corresponds to e. 

5. Rewind and restart with the same setting. 

— If / = 0, A4i simulates Hz by returning e' Gu ^q- Otherwise, set e' = e. 
— If / yf 0 and run./ has not yet been completed before the query to Hz 
is sent. Mi simulates the execution by using both y-side and z-side 
witnesses as above choosing dj Gu 'ZZq- Otherwise, Mi simulates only 
with y-side witness choosing dj = dj. 

6. U\ outputs a signature, say [C,,C,i,p' ,zu' ,a'i,a' 2 ,d' ,p!), that corresponds to 
e' . 

7. If (5 yf S', Ml computes w'l = (cri — <j'i)/{p — p') mod q, w '2 = (ct 2 — <^ 2 )/{y — 
p') mod q, and outputs w = (wi — w'i)/(w '2 — W2) mod q. Simulation fails, 
otherwise. 
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Evaluation of success probability: 

In Figure |2 observe that independent variables given to are p, g, g, h, y, 
'Hi, 'H 2 , rndi, Ci, bu, b 2 i, di for all i, and e and the random tape of All other 
variables are uniquely determined by these independent variables. Note that e^’s 
are also determined by the random tape oiU* and the variables that appeared so 
far. We wrap all these independent variables into A, except for {e, . ,di^\, 

which is defined as Hg. Let D denote D^\{e}. 

Let S be the set of all (A, D^) that leads Ul to a success, i.e., Pr^_D^ [(A, D^) G 
-S'] > £i. According to Lemma^] with probability at least ei/2, randomly selected 
A satisfies Pr£>^[(A, G S'] > ei/2. Once A is fixed, 5 is uniquely determined 
by Ds- By i5 ^ De, we denote the map from {A,Ds) in S to J. If ^ S, 

we denote _L ^ Dg. 

We consider how sensitive 5 is to D,,. Define function ip as 

= Pr[(5 ^ De]. 

Let 5max be the value of 5 that maximizes ipid). That is, 5max is the value of 5 
that is most likely to appear in a successful output of U* . Let ipmax = '>P{dmax)- 
We consider two cases. 

Case 1 {ipmax is not negligible) : 

In this case, <5 is not likely to change even if changes, so we perform the 
rewinding simulation with z-side witnesses choosing Dg and D' uniformly. By 
the definition of ipmax, uniformly chosen and 13' yield Smax with probability 
greater than V'maa;) which is not negligible. Since e differs in and 13^ with 
overwhelming probability, we have w + S^ax = e ^ e' = w' + Smax (mod q). 
Thus, we obtain w ^ w' with which y-side witness can be extracted as written 
in Step-6 of Case y = Y. 

Case 2 {ipmax is negligible) : 

In this case, <5 tends to change if changes. We first observe that there exists at 
least one element in whose change impacts <5. Hereafter, we treat e in as do, 
so the elements in are suffixed as (0, ik+i, ■ ■ ■ , it)- Define Id = (0, ik+i, ■ ■ ■ , it)- 
Let for i G Id denote a sequence obtained by removing di from D^. Observe 
that Pi'£)^[( 5 f— De] < ipmax holds for any S by the definition of ipmax- Suppose 
that I3 e is uniformly chosen and 5 is produced as S D^. Then, according to 
Corollary n there exists J G Id such that randomly chosen D~'^ satisfies 

Pr[(5 ^ D~'^ U {dj}] > 1 - ipmax 

dj 

with probability < tpmax- We can correctly guess such index J with probability 
at least l/(£-|- 1) by randomly taking it from {0, . . . ,£}. Taking the complement 
of the above, we see that randomly chosen D~'^ satisfies 

Pr[d U {dj}] 

^ ptmax 
dj 

with probability > 1 — ipmax- Now suppose that is made from Dg by choosing 
dj Gu 'ZAq, and S' is produced as d' ^ Z3(. From the above observation, {d' 7^ d} 
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V {{A,D'^) ^ S} happens with probability not negligible in n. According to 
Lemma 0 with probability Ci/ 4 , uniformly chosen D~'^ satisfies 

PT[{A,D-^U{dj})GS]>e,/ 4 . 

dj 

Thus, with probability not negligible in n, such and D'^ are in S and result 
in 5 ' yf 5 . From this collision, z-side witness log^ h can be extracted as shown in 
Step -7 of Case h = Y. The simulation with such and Zl' can be done if the 
simulator has y-side witness and z-side witness of runj since they differ at only 
one index J. 

The probability distribution over these cases depends on A and the strategy 
of U* . Note that the distribution of A does not depend on the choice of y as the 
protocol is witness indistinguishable and the public key are generated so that it 
distributes uniformly. Accordingly, the coin flip of x turns the simulation to the 
proper case with probability 1/2. □ 



Lemma 3. Any poly-time adversary outputs a valid signature without inter- 
acting with S only with negligible probability if the discrete logarithm problem is 
intractable and Hi, H2, are random oracles. 

Proof, (sketch) This is equivalent to proving the security of the ordinary (i.e., 
non-blind) version of the signature scheme against key-only attack . Thus it 
can be done by the rewinding simulation in the random oracle model in a similar 
way as done in I^S]. Given Y Gjj (g), we construct a machine, M2, that finds 
logg Y in Zq. M2 first selects w, ^ randomly and sets y = Y , h = g^, z = Yg^. 
(Since M2 does not need to simulate signer S, it can put Y into both y and 
z.) M2 then invokes twice with the same initial settings and different e and 
e' as answers of H.3. Let the resulting signatures be {f,C,i, p,w ,ai,U2,d, p) and 
{C,,C,i, p' ,vj' ,a'i,a'2,5' , p'). Since w -\-5 = e ^ e' = w' -\- 5 ' , at least either w ^ w' 
or 5 5 ' happens, li w ^ w' , M2 computes logg Y = logg y = [p — p') /{w' — 

w) mod q. For the case 5 5 ' , M2 computes 7 = log^, C, = {p—p') /{S'—S) mod q, 

= logg Cl = {cri-a'i)/{S'-6) mod q, W2 = logg C2 = {a2 - CT2) / {S' - S) mod q, 
and logg Y = logg z — C = {wi + W2/w)/j — ^ mod q. □ 

Proof of Theorem 0 , Suppose that there exists an adversary Idf that outputs 
£ -|- 1 valid signatures with probability €4 not negligible in n after interacting 
with S at most i times. The case of £ = 0 has been proven by Lemma El We 
consider £ > 1. 

Due to Lemma 13 and El among the £-1-1 signatures, there exist at least two 
signature-message pairs which contains (C, Ci) and (C,Ci) such that log^ Ci = 
log,; Cl = logz zii holds for zu used in run/ for some I in {!,...,£}. Now, there 
exist two queries to that correspond to those signatures. In a similar way as 
used in the proof of Lemma Q we guess the indexes of these queries and regard 
as being successful only if the guess is correct. Accordingly, this is equivalent 
to an adversary, say £Z|, that asks TL^ only twice and succeeds with probability 
£5 = £4/ ('*2^) in producing two signatures in the expected relation. 



A Three-Move Blind Signature Scheme for Polynomially Many Signatures 147 



We construct a machine Ms that, given (p, q, g, Y), solves log^ Y in Zq by 
using . 

Reduction algorithm: A4s sets {p, q,g) := (p, q, g). It then flips a coin, x 
{ 0 , 1 }, to select either y :=Y (case x = 0 ) > or y := with randomly chosen x 
(case X = 1) ■ 

1. Ms selects w,Wo &u and sets h := 5“ and z := g'^° by defining Hi so. 

2 . Ms selects I Gu and J Gu { 1 , 2 }. 

3 . Ms runs simulating S as follows. 

— For ruPi {i yf I), Ms simulates with z-side witness in the same way as 
shown in Step-2 of Case y = Y in the proof of Lemma El 
— For run/, 

• if X = 0, -^3 simulates with z-side witness as above, or 

• if X = 1 , it defines zi/ := 'H2(md/) = Y and follows the issuing 
protocol by using //-side witness. 

Ms simulates Hs by returning random values, say £i and £2- 

4 . Us outputs two signatures. 

5 . Ms rewinds and restarts with the same setting. Ms answers J-th query 
to Hs with e'j Gu ^q- 

6. Us outputs two signatures. 

7 . Let (C, Cl, P, O'!, o"2, S, y) and (C, Ci, P^ Ci, pO b® the resulting sig- 
natures that correspond to £j and e'j respectively. (If any of the resulting 
signatures does not correspond to the hash value, Ms fails.) If x = 0 and 
w ^ w' , Ms outputs logg y = logg Y = {p — p')j {w' — w) mod g. If x = 1 
and S yf S', it outputs logg Zu = logg Y = (cti — cr()/(// — y') mod g. Ms 
fails, otherwise. 

Evaluation of success probability: (sketch) 

The probability that U^ is successful and the obtained twin signatures are cor- 
related to run/ is at least es/£. The probability is taken over the coin flips of Q, 
S, Us and the choices of Hi, H2, Hs- 

According to Lemma 21 we can find, with probability at least tsjH, a conve- 
nient random tapes oiQ,S,Ul and Hi, H2 that lead to output twin signatures 
that corresponds to run/ with probability > es/ 2 £. The success probability of 
is now taken over the choice of Hs, i.e., £1 and £2. We show that the standard 
rewinding simulation works to extract the witness of the desired side with prob- 
ability not negligible in the security parameter. (The rest of the proof is actually 
the same as that in Pj, so we give only a brief sketch below.) By e, we denote 
(£i,£ 2) hereafter. Note that the number of all possible e is . Define Succ as a 
set of £ with which U^ succeeds. Then, there exists a many-to-one mapping from 
£ G Succ to e/, which is the challenge from used in run/. Since es/ 2 £ is not 
negligible in n, ^Succ > q holds for infinitely many values of n. Thus, there exist 
£ and £' in Succ that result in the same e/. Let tvi denote a transcript obtained 
in run^. That is, tvi = {(rnd/, a^, 6i/, &2i), Ci, dij (excluding dependent variables, 
Ti, Wi, sii, S2i)- For such e and e', the sequences of the transcriptions are identical 
with regard to run/, that is, (tri, • • • , tn, • • • , tn) and (tr}, • • • , tn, • • • , tr'g). 
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Since the issuing protocol is witness indistinguishable, the distribution of trj 
does not depend on the choice of x- The same is true for other and tr' as they 
are produced by z-side witnesses selected independently from y. Thus, if is 
run twice with such e and e' , lA^ produces a collision that results in exposing 
either z-side witness or y-side witness independently from y. It is successful 
if y-side witness is extracted when y = 0, or z-side witness, which contains 
Wi = loggZi = loggY, is extracted when x = 1 - These successful cases happen 
with probability 1/2 due to the random choice of x- The difficulty is that we 
rarely find such e and e' . So we consider what happens if £ and s" that result in 
different e/ and e/ are chosen in the simulation. In this case, trj and tr'j differ 
and may reflect the choice of x so that they only yield a useless witness that we 
already have. We can, however, prove that such useless result cannot occur all 
the time. Suppose that x = 0 and £ and e' yield y-side witness as desired, but e 
and e" only yield useless z-side witness. This means that w ^ w' and w = w” . 
Thus, w' yf w” and desired y-side witness can be extracted if e' and e" are 
chosen. Following this observation, | 3 | estimated the probability of finding such 
a convenient pair of £ and concluded that it was not negligible in the security 
parameter n. □ 



5 Application to Double-Spender- Traceable E-cash 

Here we apply the proposed blind signature scheme to create a secure anonymous 
e-cash scheme that provides double-spender traceability. 

The withdrawal protocol is exactly the same as the signature issuing protocol. 
A coin is 7 -tuple coin = (C, Ci, p, tu, cti, (T2, ^), which omits /i from the signature 
described in the previous section. The user stores the coin together with r and 
7. To pay, the user releases the coin and (£p,pp) where Ep = 'H4(z'^||coin||desc) 
and Up = T — Ep^ mod q. Here is a hash function 7^4 : { 0 , 1 }* — ?> Zg and 
desc is the unique description of the transaction. The shop accepts if 

C ^ 1, 

ti7 + J = 773(CIICill5"ril5"^C/l|/i"=(C/Ci)'lk'^'’C^)mod9, and 
Ep = 774(z'^pC^*’l|coin||desc) mod q. 

It is not hard to see that a double payment using different desc and desc' 
with the same coin yields (Ep,ytp) and {Ep, y,p) which allows the bank to extract 
blinding factor 7 as 7 = (y/ — yp)/{Ep — Ep) modp. Since we can prove that 
Lemma| 2 |also applies to this variant, should expose zi used in a particular 
withdrawal session invoked by an authenticated user. 

6 Conclusion 

We presented an efficient three- move blind signature scheme. It provides one- 
more unforgeability with polynomially many signatures. From a practical point 
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of view, the scheme is less efficient than known logarithmically-secure schemes 
but remains practical as it costs only a few times more than the Schnorr blind 
signature scheme. 

The unforgeability was proven under the discrete-log assumption in the ran- 
dom oracle model. Computing the exact reduction cost in the style of 0 seems 
hard due to the intricate reduction algorithm. Accordingly, the success probabil- 
ity was argued in a classical style, i.e., it was shown that the success probability 
of the reduction is not negligible with regard to the security parameter. 

We also have presented a secure double-spender-traceable e-cash scheme to 
demonstrate the suitability of our scheme. The scheme is the first single-term 
scheme whose security against parallel withdrawals can be proven only under 
the discrete-log and the random oracle assumption. 
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Appendix 

The following Lemma is known as the Heavy-row Lemma m or the Splitting 

Lemma PM- Let X X Y be a product space and A its subset. Let (a;, y) denote 

an element in X x Y. 
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Lemma 4. Let A be Pr[(x,?/) G A] > e for some e, and B be B = {x G 
X I Viy^Y[{x,y) S A] > e/2}. Then, Pr [x G B]> e/2. 

x^X 

The following lemma is the reverse of the above in some sense. 

Lemma 5. Let A be Pr[(a;, y) G A] < e for e < 1/3. Define 
B = {x G X \ Pr [(cc, y) G A] > 1 — ej, and 

V&Y 

C={yGY\ Pr J(x, y) G A] > I - ej. 

xGX 

Then, either Pr[x G B] < e or Pr[?/ G C] < e holds. 

Proof. By contradiction. Assume that Pr[a: G B] > e and Pr[y G C] > e. Let 

BY = {(a;,?/) G A\x G B}, and 
CX = {{x,y)GA\yGC}. 

Observe that \CX\ > (1 — e)|Al| • e|y| and \BY\ > e\X\ ■ (1 — e)|y|. Let CX' 
and BY' denote minimal subsets of CX and BY, which, respectively, can be 
considered as (1 — e)|X| x e|y| and e\X\ x (1 — e)|y| squares over plain X xY. 
Since 1 — e > e, the maximum overlap of those squares is e\X\ x e\Y\. So, 
ICX'nSF'l < e2|X||y|. Since |A| > \CX'\ + \BY'\ - \CX'nBY'\, we have 

e|X||y| > (1 - e)|X| • e|F| + e|X| • (1 - e)|P| - e2|X||y|, 
e > 1/3, 

which is a contradiction. □ 

Lemma 0 can be generalized in the following way by repeatedly applying 
itself. Let (cci, . . . , Xk) denote an element of product space X'^. Let (a:i, . . . , Xk)^ 
denote removal of the j-th element, i.e., {x \, . . . , Xj-\,Xjj,.i , . . . , a;fe)L 

Corollary 1. Let A be Pr[(xi, . . . ,Xk) G A] < e for e < 1/3. Then, there exists 
j such that Pr[(xi, . . . , Xky G Bj] < e where 
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Abstract. We propose a threshold RSA scheme which is as efficient as 
the fastest previous threshold RSA scheme (by Shoup), but where two 
assumptions needed in Shoup’s and in previous schemes can be dropped, 
namely that the modulus must be a product of safe primes and that a 
trusted dealer generates the keys. The robustness (but not the unforge- 
ability) of our scheme depends on a new intractability assumption, in 
addition to security of the underlying standard RSA scheme. 



1 Introduction 

In a threshold public-key system we have a standard public key (for the RSA 
system, for instance), while the private key is shared among a set of servers, 
in such a way that by collaborating, these servers can apply the private key 
operation to a given input, to decrypt it or sign it, as the case may be. If there 
are I servers, such schemes typically ensure that even if an active adversary 
corrupts less than 1/2 servers, he will not learn additional information about 
the private key, and will be unable to force the network to compute incorrect 
results. Thus threshold cryptography is an important concept because it can 
improve substantially the reliability and security of applications in practice of 
public- key systems. 

Threshold schemes based on the discrete log problem are relatively straight- 
forward to build, and have been known for a long time. It is even possible to 
make efficient schemes where also the key generation phase is done by the servers 
in a distributed way H33- This way we can completely avoid assuming any fixed 
trusted parties in the system. 

Basing threshold schemes on RSA is technically more difficult because we 
have to work in a group of non-prime and unknown order (Z* rather than a 
prime order subgroup of Z* for a prime p). Nevertheless RSA-based schemes 
have been known for some time, see [I Dll 4) for the first reasonably efficient and 
robust solutions. However, due to the technical difficulties mentioned, they tend 
to be more complex and less efficient in comparison to the discrete log schemes. 
One concrete reason is that they use secret sharing “in two levels”, i.e. server i 
knows a number di, such that di = d, the secret RSA exponent. In addition, 
each di is a verifiable secret shared among the servers. In such a scenario, testing 
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if servers have behaved correctly is more complex than in the discrete log case, 
and if faults do occur, interaction between the servers is necessary to recover. 

Recently, however, Shoup^H] proposed a threshold RSA signature scheme 
which is essentially as efficient as possible: the scheme uses only one level of 
secret sharing, to sign a message, each server simply sends a single response 
to a signature request, and must do work that is equivalent up to a constant 
factor to computing a single RSA signature. No further interaction is needed 
to recover from faults. Unfortunately, that scheme - like any previous efficient 
RSA-based scheme - needs to assume a trusted dealer to generate keys. This 
is caused by the fact that it relies on a special property for the RSA modulus, 
namely it must be the product of two so called safe primes (i.e. the modulus 
n is the product of primes p,q, where p' = {p — l)/2,q' = (q — l)/2 are also 
prime). The problem now is that although reasonably efficient distributed RSA 
key generation protocols are known |0Ej, none of these protocols can ensure that 
the modulus is a product of safe primefl One attempt to overcome this was 
made by Miyazaki et al. m, who build a threshold RSA scheme that can use 
the key generation protocol from |S|. Unfortunately that scheme is significantly 
less efficient than Shoup’s. It uses two-level secret sharing and needs interaction 
between servers for each message signed, even if no faults occur. Fouque and 
Stern 0 present independently of our work a distributed threshold RSA scheme 
in which they modify the distributed generation of RSA keys from 
combine this with Shoup’s scheme m- The security of their protocol is based 
only on the underlying standard RSA scheme, but is less efficient than ours by 
a factor of where k is the security parameter (Fouque and Stern estimate 

a factor of 30 for a realistic setting of the parameters) . 

In this paper, we overcome the problem in a more efficient way by con- 
structing a new threshold RSA scheme which may be seen as a generalization of 
Shoup’s, is essentially as efficient as that scheme, follows the same communica- 
tion pattern, but does not need the assumption about safe primes. As we shall 
see, this implies that the distributed RSA key generation protocol from 0 can 
be used to generate keys for our scheme. Note that there may be good reasons 
to avoid safe primes, other than the distributed key generation issue: first, we do 
not even know if there are infinitely many safe primes, and second it may turn 
out to be the case that safe primes are not “safe” at all: although it currently 
looks as if safe prime products are as hard to factor as RSA moduli in general, 
this may eventually turn out to be false, indeed most experts agree that choosing 
the primes as randomly as possibly gives the best security. 

On the technical level, one difficulty that arises when safe primes are not 
assumed, relates to the efficient zero-knowledge protocols used in PEI to verify 
the behavior of servers. These protocols seem to fail if safe primes are not used, 
primarily because the group we are working in is no longer cyclic, and may 
have small prime factors in its order. We get around this by showing that with 



^ Of course, generic multiparty computation methods could be used to generate and 
share such keys in a distributed fashion, but this would be extremely inefficient and 
completely unsatisfactory in practice 
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small modifications to the protocols and under an appropriate intractability 
assumption, the adversary will not be able to exploit the “deficiencies” of the 
group. Concretely, we show that zero-knowledge proofs of equality of discrete 
logarithms over a general RSA modulus can be done very efficiently (i.e. without 
resorting to binary challenge proofs) as long as the prover does not know the 
factorization. This may be of independent interest, and was previously only 
known if the modulus was a safe prime product. 

Following Shoup, we describe and prove our scheme assuming the random 
oracle model, however, we rely on it only for robustness of the scheme (and not 
for unforgeability). At the expense of an additional round of interaction when 
signing a message, we can avoid using random oracles. The details of this are 
are omitted since they are standard and straightforward. 

To prove the security of our scheme, we need an intractability assumption in 
addition to the standard RSA assumption. Informally speaking, we assume that 
given the public key n, e: 

— The adversary cannot compute an element a 1,-1 mod n such that a has 
“extremely small order” . More precisely the adversary cannot compute an 
a 1,-1 mod n whose order is not divisible by q, where q is the largest 
prime factor in (j){n). 

— The adversary cannot distinguish a random square modulo n from a random 
square of maximal order. 

As evidence in favor of this assumption, we first note that it is well known that 
computing the order of a random element is equivalent to factoring. Specifically 
w.r.t. the first item, for a random RSA modulus n, there is overwhelming heuris- 
tic evidence that the prime q will be large (superpolynomial) with overwhelming 
probability. And so a suitable a cannot be found by choosing randomly. Indeed, 
it seems that one would need to raise a randomly chosen element to the q’th 
power to find such an a, however, guessing q is very unlikely to be feasible if 
factoring is difficult at all. Also, we note that if n = pq is chosen such that 
{p — l)/2 and (g — l)/2 have no prime factors less than some number B, then 
finding o y^ 1,-1 of order less than R is as hard as factoring n, since the only 
possibilities for a are the two non-trivial square roots of 1. In jS], Fouque and 
Stern show a distributed protocol for generating such RSA moduli efficiently 
when B is (essentially) a constant (so this does not quite suffice to show that 
our assumption is equivalent to factoring for such n). The second item can be 
seen as a generalization of the Quadratic Residuosity Assumption, which can 
be interpreted as stating that it is difficult to decide if a given element has a 
maximal power of 2 dividing its order. Our conjecture makes a similar statement 
for other prime factors. 

For the version of our scheme we describe here, we actually need that this 
assumption holds, even if the adversary is given an oracle for RSA signatures, 
i.e. , the adversary can specify an M and will be given the e’th root modulo n of 
H{M), where iJ is a secure hash function. While this extra condition does not 
seem to help the adversary in computing orders of elements, it can be removed 
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completely if we are willing to assume that H can be modelled as a random 
oracle. 

In 0 and |3, Damgard/Jurik and Fouque et al. construct threshold versions 
for (generalizations of) Paillier’s probabilistic public key system m using the ba- 
sic techniques from Shoups scheme. These protocols all assume a trusted dealer. 
Using similar constructions, but starting from our scheme instead of Shoup’s, 
threshold versions of Paillier’s scheme without a trusted dealer are easily ob- 
tained. 



2 Model 

Here we describe the model for threshold signature schemes we use, rather in- 
formally, due to space limitations. In the type of schemes we consider there are I 
servers. In the generation phase on input a security parameter k the public key 
pk and secret key shares si, ..., s; are created, where Si belongs to server number 
i. There is a signing protocol defined for the servers which takes a message M 
as input and outputs (publically) a signature cr. Finally, there is a verification 
predicate V, which is efficiently computable, takes pk, message M and signature 
a as inputs, and returns accept or reject. Both the signing protocol and the 
verification predicate may make use of a random oracle. 

To define security, we assume a polynomially bounded static and active ad- 
versary A, who corrupts initially t < 1/2 of the I servers. Thus, the adversary 
always learns pk and the sfs of corrupted servers. As the adversary’s algorithm 
is executed, he may issue two types of requests: 

— An oracle request, where he queries the random oracle used, he is then given 
the oracle’s answer to the query he specified. 

— A signature request, where the adversary specifies a message M. This causes 
the signing protocol to be executed on input M , where the adversary con- 
trols the behaviour of corrupted servers (and will of course see whatever 
information is made public by honest servers). 

At the end, A outputs a message Mq and a signature uo- 

We say that A wins, if any of the signing requests resulted in an invalid 
signature being output, or if he produced a forged signature on a new message, 
i.e. Mq was not used in a previous signature request, and V{pk, Mq, gq) = accept. 

We say that the scheme is secure, if every adversary wins with probability 
negligible in 41 

3 The Honest Dealer Scheme 

In this section we first describe our scheme assuming an honest dealer that will 
generate and distribute the keys. The algorithm we specify for the dealer looks 



^ unlike the definition in m, we treat robustness and unforgeability together - this 
does not make any essential difference. 
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rather strange, taken by itself. However, the dealer is designed in such a way that 
the information he distributes matches the output that can be generated by the 
distributed RSA key generation protocol of Frankel et al. p|. Therefore, once we 
prove the security of the honest dealer scheme, a secure (and efficient) scheme 
without an honest dealer follows easily. We return to this issue in Section 00. 

In the threshold scheme to be described, an RSA public key n, e will be se- 
lected. We will assume that there exists some method, represented by a function 
H for mapping an input message M to an element H{M) G Z^. Then the signa- 
ture we will compute is just the standard RSA signature mod n, where d 

is the private exponent corresponding to e. We will refer to this as the underlying 
RSA scheme. The function H can be a hash function, a redundancy scheme, or 
a combination of both, our construction will work fine in any case. But we do 
assume throughout that the underlying RSA signature scheme is secure - more 
precisely that it is not existentially forgeable under a chosen message attack. 
This is clearly a necessary assumption, since without it, no threshold scheme we 
build from the underlying scheme can be secure. Note that, assuming H can be 
modelled as a random oracle, security of RSA signatures using H follow from 
only the standard RSA assumption. 

The dealer. Let A = l\. The dealer chooses at random pi, . . . ,pi,qi, . . . ,qi G/j 
2^] until p = {pi + ■ ■ ■ + pi) and q = {qi + ■ ■ ■ + qi) are prime numbers 
and gcd{{p — l)/2. A) = gcd{{q — l)/2. A) = 1. The RSA modulus is n = pq. 
The dealer also chooses a public exponent e as a prime e > 1. The public key is 
pk = (n, e). 

Next the dealer executes generation of private keys from 0 to compute 
dA^ = di + 1- dt+i G Z such that de = l mod ^(n), A\di, . . . ,Z\|d(+i and 

|di| < . . . , |dt+i| < for some constant C > 1.0 

The dealer performs secret sharing over the integers, which was introduced 
in 0 and presented in a modified version in 0 . For l<i<t-|-la random 
polynomial fi{x) = chosen such that fi^ = di and for 1 < j < t we 

have /ij G_r {0, Z\, 2Z\, . . . , A^^n^ ■ A}. We define a polynomial f{x) = f\{x) + 
• • • -I- ft+i{x). We can observe that /(O) = and f{x) is a multiple of A for 
all integers x. 

For 1 < i < /, the dealer computes Si = f{i) = f\{i) -I- • • • -I- /t+i(z), which 
is a secret key of server i. If we define a(fc, 1) = Ak+ (12Z -|- 4) log I, it is easy to 
verify that 0 < 

The dealer chooses u G .^* as a random square. For 1 < i < I, the dealer 
computes verification key Vi = of server i. 

® We note that the description in |0] in some places leaves open alternatives for 
how details in their key generation protocol are executed. Choosing different options 
lead to minor differences in the output distribution. We stick to one option here for 
simplicity. Any of the other options could easily be accommodated here by adjusting 
the description of the honest dealer. 

^ In case of a small public exponent, the protocol from 0 instead generates the 
private exponent dA^ as a sum of I shares. Our construction could also be based on 
this method. The protocol and the proofs would be analogous. 
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Signing protocol. 

1. When a message M is requested to be signed, we set x = H{M), where H 
is a hash function, a redundancy scheme, or a combination of both, and use 
the scheme to compute x'^ mod n. 

2. We define the signature share Xi of server i by 

2A^Si 

Xi = X * . 

3. The server i can prove that the discrete logarithm of xf to base x = x^^ is 
the same as the discrete logarithm of Vi to the base . 

We construct the proof of correctness. Let H he a hash function modelled as 
a random oracle, whose output is an Li-bit integer, where L\ is a secondary 
security parameter (e.g. Li = 128). 

Each server i chooses at random a number r € {0, . . . , _ i}. Let 

c= H[v^x^Vi^Xi^v )^z=SiC-\-r. 

The proof of correctness produced by server i is (z,c). 

4. To verify this proof of correctness, one should check that 

5. Suppose that valid shares were generated by honest servers from a set S = 

{zi, . . . ,b+i} C {1, . . . 

For all j G S we define the Lagrange coefficients multiplied by A: 




Since e is prime to 4Z\^, we can obtain such integers a and b from the 
extended Euclidian algorithm that o4Z\^+6e = 1. Finally we have a signature 
y = w°'x^, because 

= x. 

This shows that y is obtained if the signature shares Xi are computed by 
honest servers only. In real life, we will only know that the Xi’s are values that 
allow the servers to produce acceptable proofs of correctness. We will later show 
that this (with overwhelming probability) is sufficient. 
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4 Proof of Security for the Honest Dealer Scheme 

We start by stating our intractability assumption more formally. To this end, 
we define a signing oracle 0(n, e, H) to be an oracle that on input a message M 
returns the signature mod n. 

Conjecture 1. — Consider any probabilistic polynomial time algorithm who 

gets as input n, e (as chosen by the honest dealer on input k), gets access to 
a signing oracle 0{n, e, H), and outputs a number a. For any such algorithm, 
the probability that a yf 1,-1 mod n and q does not divide the order of a, 
where q is the largest prime factor in (j{n), is negligible in k. 

— Let D = {Zl(fc)| k = 1,2..} be the family of distributions where D{k) is the 
distribution of n, e, v generated by our honest dealer on input k. Define D' to 
be the same, except that v is chosen as a random square of maximal order. 
Then D and D' are polynomial time indistinguishable, where distinguishers 
are given access to a signing oracle 0{n,e, H). 

This assumption was already discussed in the introduction. Note that if we are 
willing to assume that H can be modelled as a random oracle, then the signing 
oracles can be removed from the conjecture by a standard argument^. 

A number of preliminary observations: 

Lemma 1. The proofs of correctness for signature shares produced by honest 
servers can be simulated with a statistieally close distribution, given the public 
key and the message to be signed. 

Proof. We construct a simulator which can simulate the proof of correctness 
generated by server i without knowing the value of secret s^. Recall that we 
invoke the random oracle for the hash function H . The simulator controls the 
random oracle. Whenever the adversary queries the random oracle, if it has 
not been defined yet at the given point, the simulator picks a random value and 
sends it to the adversary. When a honest server is expected to produce a proof of 
correctness for given x, Xi, the simulator picks random c' G {0, . . . , 2^^ — 1} and 
z' € {0, . . . , 2 “(^’d+ 2 ii _ yyg declare the value of the random oracle at the 
point {v,x,Vi,x^,v^ ^ vf"^ ,x^x~'^'^ ) to be c' . With overwhelming probability, 
the random oracle has not been defined at this point before. The simulated proof 
is {z' , c'). The only difference to a real proof (z, c) is that in a real execution, we 
have z = r + csi, where r is a random a{k, 1) + 2Li-bit number. But since r and 
z' are Li bits longer than cSi, the distance between the distributions of 2 and z' 
is exponentially small in Li. □ 

Lemma 2. Let q be the largest prime factor in i^(n), and consider a signature 
share Xi (for an input x) produeed by a corrupt server. Assume that the element v 
produced by the honest dealer has maximal order (among all squares modulo n), 

® Since under this assumption, a signing oracle is easy to implement: if the adversary 
wants to see a signature on message M, choose a random a £ Z(, define the output 
of H on input M to be cr® mod n, so that a now is the signature on M 
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and that Xi is incorrect, i.e., xf ^ (x"^^ mod n. Then, either q does not 
divide the order ofx^-{x'^‘^ mod n, or the probability that the adversary can 
construct an acceptable proof of correctness for Xi is negligible. Furthermore, a 
correct signature can be computed from t + 1 correct signature shares. 

Proof. Let (z, c) be an acceptable proof produced by a corrupt server i. Therefore 
c = F[{v,x,Vi,x},v'"^ 

We can reinterpret this proof as an application of the following interactive pro- 
tocol, where the verifier is replaced by a call to the random oracle: 

Let G be a group of squares in Z*. We have elements v,w = v^ £ G, where v 
has maximal order in G and the prover knows s. The prover P makes elements 
a, j3, guaranteed to be in G as well, and wants to convince us that a® = j3. 

So a,/3,v correspond to x,xj,v‘^ above. Note that if v has maximal order, 
so does , since n was chosen such that G has order prime to A. 

The prover performs the following steps: 

1. P chooses r in some large enough interval and sends a = v'~ ,b = a^. 

2. P gets a random challenge c from the verifier. 

3. P replies by sending z = r + cs 

4. To check the proof, one verifies that = aw^ and = 6/3'^. 

We can always write G = Gi x .. x G„, where the order of Gj is a power of qj 
and qi, ... are the distinct prime factors in the order of G. So then we can 
think of a as a w-tuple, a = (oi, ..., a„), aj € Gj, and similarly for the other 
group elements. Now, of course, a® = /? iff a® = Pj for all j. 

Claim. If for some j, a® yf Pj, then for any initial message (a, b) in the protocol, 
there is at most one value of c mod qj, for which a satisfactory reply z to c exists. 

To prove this, there are two cases we must look at, depending on whether 
Pj £< ctj > or Pj aj >. 

Assume first that Pj aj >. Suppose that for some initial message a, the 
prover can answer both c and c', where c yf c' mod qj. This means that the prover 
can send z and z' such that = bPj and o;| = bPj . Dividing one equation by 

the other we get a^ = Pj Since we assumed that Pj aj >, it must be 
the case that < Pj > (1 < aj > is a proper subgroup of < Pj >. Hence the order 
of Pj must be strictly smaller than the order of Pj, but this is a contradiction 
since c — c' is relatively prime to qj by assumption. 

Next, assume that Pj = a® for some s, but nevertheless Pj yf a®. So s yf 
s mod ord{aj), where ord{aj) is some power of qj. If we let be the order 
of Vj, we have ord{aj) < q^I because v has maximal order in G. Assume again 
that given some initial message a, the prover can answer both c and c' , where 

c' mod qj, by sending responses z, z' . From the equations the verifier checks, 
we get 
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Now, c' — CIS, relatively prime to qj, we can set d = {c/ — c)~^ mod and raise 
both equations to the d’th power. Since the order of aj - and hence of Pj - is at 
most qj-* , this gives us 



■-diz' — z) d(z' — z 

Vj = Wj, aj 



Pj 



Hence d(z — z') = s mod ord{vj) and also d{z — z') = s mod ord(aj), which 
implies s = s mod ord(aj), a contradiction. 

This finishes the proof of the claim. 

We now return to the situation where we have given an incorrect signature 
share Xi. Recall that we defined q to be the largest prime factor in the order of Z^, 
and hence in the order of G, so q is one of the q^ ’s, say q = q\. Let 4> be the natural 
homomorphism from G to Gi. We may assume that )®*), i.e., Xi 

is “ incorrect in Gi” , since otherwise q does not divide the order of x^{x'^^ )“®‘ . It 
then follows from the claim we just proved that for each oracle call the adversary 
makes where xi occurs as signature share, the probability that this results in an 
acceptable proof is at most 1/q. (note that if the adversary attempts to make a 
proof without calling the oracle it is clear that it will be accepted with probability 
at most It follows from the first part of conjecture d that 1/q must be 

negligible, since otherwise a small order element could be found by guessing at 
random. Since the adversary can only make a polynomial number of oracle calls, 
it follows that the probability that he can make an acceptable proof for such an 
Xi is negligible. 



Combining shares. Assume that we have t + 1 correct signature shares , ■ ■ • , 
. For 1 < j < t + 1 the signature shares satisfy a property 

x'^. = , where s[. = Si. mod ord(w'^ ). 

Since v is an element of maximal order in the group of squares in Z* and x = 
x'^‘^ , we have 

x' = X mod n. 

‘'J 

Therefore t + 1 correct signature shares allow us to compute a correct signature. 

□ 

Lemma 3. Let n, e, distributed as the honest dealer chooses them, be given. 
Based on this, the information the adversary learns from the honest dealer ini- 
tially can be simulated with a statistically close distribution. 

Proof. Suppose that the adversary corrupted t servers i\, . . . ,it. 

We choose at random r € Z;„ and distribute rA^ randomly as a sum rA2 = 
xi + --- + r 4 +i, where Z\|xi, . . . ,Z\|rt+i and |ri| < GZ'+M^^n^, . . . , |rt+i| < 
. We perform secret sharing over the integers to share r. For 1 <i <l 
a random polynomial gpx) = chosen such that gi^ = and 

for 1 < q < t we have {0, Z\, . . . , A^^n^ ■ A}. We define a polynomial 

q(x) = qi(x) + • • • + gt+i{x). We can observe that q(0) = rZ\^. 
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The function g gives us a polynomial sharing over the integers of r, which 
was generated like in the sum-to-poly protocol p| and by Lemma 3 from ^ it is 
almost t-wise independent. Since the adversary learns t shares Si^ = (/i + • • • + 

, Sit = (/i “I ft+i) (it), he can not distinguish these shares from 

random values and from the shares generated for him by the honest dealer. 

Let w be a random square in Z* . We define the verification key v = mod n. 

The verification key of a corrupted server i is Vi = . For an uncorrupted 

server i, we define set S = {0, ii, . . . , ft}. We can take the normal Lagrange 
coefficients and multiply them by A so they become integers. The results are 
called Xf j and we have 

jes 

Since the adversary can not distinguish our secret d from r, we can compute 



— 

= modn. 



The adversary’s view consists from n, e, Si^ , . . . , Si^ , u, t>i , . . . , u; . Since it was 
generated on the basis of the adversary’s shares , . . . , , which were sta- 

tistically indistinguishable from the adversary’s shares produced by the honest 
dealer, the adversary can not distinguish this view from the one given by the 
honest dealer. □ 



Lemma 4. Assume we are given a set of values distributed by the honest dealer 
to the adversary, i.e., n,e,v,vi,V 2 , ■■■,vi and the Si’s sent to the eorrupt servers. 
Let also a message M, and the signature mod n be given. Based on this, 

the contributions from honest servers in the protocol where M is signed can be 
simulated with the correct distribution. 



Proof. Let {ii, . . . ,it\ be the set of corrupted servers. Let y = H{MY mod n 
and a; = y® = H{M) mod n. 

We define set S = {0,fi, . . . ,it). We can take the normal Lagrange coeffi- 
cients and multiply them by A so they become integers. We can easily compute 
Xi = for an uncorrupted player i as 



_ 2A(A^\l„+e{\Y 
— y 






mod 



□ 

4.1 Proof Assuming v Has Maximal Order 

As a first step, we prove: 

Lemma 5. Modify the honest dealer scheme described above such that the honest 
dealer chooses v to be a random element of maximal order (among the squares 
modulo n). Then the resulting scheme is secure under Conjecture^ and assuming 
the underlying standard RSA signature scheme is secure. 
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Proof. Assume we are given an adversary A that breaks the scheme, with prob- 
ability at least l/p{k), for some polynomial p{). We will then build an algorithm 
that with approximately the same probability either breaks the first part of Con- 
jecturedor the underlying RSA scheme. So our algorithm gets n, e as input, and 
also gets a chosen message attack on the underlying RSA scheme, i.e., access to 
an oracle which on input M returns mod n. The algorithm now behaves 

as follows: 

1. Invoke Lemma 0 to generate from n, e a simulation of the honest dealer 
(note that this produces a random square v which does not necessarily have 
maximal order - we deal with this problem below). Send the data produced 
to A. 

2. For every oracle request A issues, check if the input value to the oracle that 
A specified has been asked for before. If so, return the same answer that was 
returned earlier. Otherwise, return a fresh random value as an answer and 
record this value. 

3. For every signature request (say, on message M) A issues, call the oracle to 

obtain the signature mod n. Use this and the data generated in step 

^to invoke Lemma 0 and compute the contributions from honest servers in 
the signing protocol where M is the input. Invoke Lemma Q to simulate the 
proofs of correctness from honest players. Send all data produced in this step 
to A, and receive signature shares Xi and proofs for the corrupt servers from 
A. 

4. If A produces an incorrect signature share Xi and an acceptable proof for 
this share, stop and output xf ■ {x'^^ mod n (where x = H{M) and M 
is the message that was signed). 

5. If A stops and outputs Mq, cto, output this pair and stop. 

To analyze this algorithm, note first that the simulation of the honest dealer 
in step n produces r; as a random square, where the honest dealer we have 
assumed in this subsection chooses v as a, random square of maximal order. 
However, for any prime p, there is a non-negligible probability that a randomly 
chosen number modulo p has maximal order, namely p — f (see |15|L This (and 
the Chinese Remainder Theorem) implies that if we let GOOD be the event 
that is a square of maximal order, there is a non-negligible probability that 
GOOD occurs. It will therefore be sufficient to show that the probability that 
our algorithm breaks one of the two assumptions, given that GOOD occurs, is 
non-negligible. 

Under this assumption, step 0 simulates our honest dealer with a statisti- 
cally close distribution. Therefore, the simulations of the signing protocols are 
also statistically close to the real life distributions (by Lemma E| and 0 . The 
simulation of the random oracle is trivially perfectly indistinguishable from the 
real thing. It follows that the probability that A breaks the threshold signature 
scheme during our simulation is equal to the probability with which this happens 
in real life except for a negligible amount, and certainly is at least l/p'{k) for 
some polynomial. 
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However, assume first that A does this by producing an incorrect signature 
share Xi and a valid proof for it (by Lemma |3 this is necessary to make the 
signing protocol output a bad signature). By Lemma 0 this means that xf ■ 
mod n has order not divisible by q, except with negligible probability, 
and so we have broken the first part of Conjecture HI On the other hand, if Mq 
did not occur in any of .4’s signature requests, it did not occur in any of ours 
either, so if also uo = H{MqY mod n, i.e., is a valid signature, we have broken 
the underlying RSA signature scheme. 



4.2 Proof in General 

We are now ready for the main result: 

Theorem 1. Consider the original honest dealer scheme described above where 
the honest dealer chooses v to be a random square modulo n. This scheme is 
secure under Conjecture^ and assuming the underlying standard RSA signature 
scheme is secure. 

Proof. Assume the result is false, i.e. there exists an adversary A that breaks 
the scheme with significant probability. We will then argue that this leads to a 
contradiction with the second part of Conjecture 01 So let us assume that we 
are given values n, e, v. We know that n, e are chosen as the honest dealer would 
choose them, and we will show how to use the assumed adversary A to decide if 
u is a random square or a square of maximal order. 

Note first that we may as well try to decide if u® mod n is random or of 
maximal order, since raising to the e’th power preserves order and is a 1-1 
mapping. So by replacing v by u® mod n, we see that we may assume without 
loss of generality that we know the e’th root of v. With this in mind, a trivial 
modification of Lemma 0 shows how the honest dealer can be simulated given 
n,e and v (and the e’th root of v). 

We now run the simulation algorithm that appears in the proof of Lemma 0 
with two changes: 

— In step m we run the modified simulation of the honest dealer we just de- 
scribed. 

— Having finished, we output v is random if A broke the threshold signature 
scheme, and v has maximal order otherwise. 

It is evident from this description that if v has maximal order, we will be 
producing a simulation that is statistically close to the view of A attacking the 
scheme with maximal order v, and similarly for random v. It now follows that if 
V is in fact random, we will output v is random with probability at least l/p(k) 
for some polynomial p(), by assumption on A, while this happens with negligible 
probability if v has maximal order, by Lemma 0 
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5 Removing the Honest Dealer 

By inspection, it is straightforward to check that the output data from the 
distributed key generation protocol of ^ matches the data we have assumed 
that the trusted dealer generates, with one exception : we have required that n 
is such that 4>{n)/A is not divisible by any prime less than I, and this condition 
is not automatically satisfied using 0. 

This is easily handled, however: the protocol from ^ contains a test division 
step where each candidate p for a prime factor in n is testdivided by small prime 
factors. At this point, p is shared additively among the players, so it is trivial to 
obtain an additive sharing of p — 1, and testdivide p — 1 by all primes less than 
1. This will of course slow down the protocol because more candidates will be 
rejected, however, by Mertens’ theorem the cost will only be a factor proportional 
to logZ. 

To show security of the combined scheme, we assume (for concreteness) that 
the protocol from 0 according to the definition of Canetti 0 is a secure protocol 
for computing the function F, which on input the security parameter k outputs 
to all players the values n, e, u, {u'** mod n}, and Si as private output to server 

Security of the entire combined scheme now follows from Canetti ’s compo- 
sition theorem, provided we show that our protocol is secure given an “ideal 
implementation” of F, i.e., an oracle that on input k outputs to all players a set 
of output values for F chosen according to the correct distribution. But since 
such an oracle is equivalent to an honest dealer, the required proof is precisely 
what we have given in the previous sections 0 . 

6 Efficiency Analysis 

It is straightforward to check that the number of bits sent by each server in 
order to sign a message, as well as the number of modular multiplications the 
server needs to perform, is proportional to the bit length of its share Si of the 
secret key. From the estimates on Si in Section 3 it therefore follows that the 
communication complexity per server is 0{k + llogl) bits and the computation 
is 0{k + llogl) modular multiplications, where I is the number of servers and k 
is the length of the modulus. 

This is more than in Shoupsfin] scheme which has complexity 0(fc), however, 
in practice k must be 1000 or more for security reasons, while I is going to be 
much smaller, so this difference is hardly significant in practice. In the hidden 
constants, the main difference is a factor of 2 in Shoup’s favor. As a concrete 
example, for a 1000 bit modulus and 32 servers, Shoups scheme will have shares 
of size 1 Kbit while our shares will be about 4 Kbits. 

® [01 does not directly reference the definition of |2|. Nevertheless, the simulation based 
security proof they give fits with Canetti’s definition 
^ Note that we allow the adversary to do a chosen message attack after seeing the 
public key. Strictly speaking, the model from [21 does not permit this because con- 
tributions from corrupted players must be chosen initially when the adversary is 
static. However, recent work by Canetti ^ does allow taking this into account 
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Abstract. In this paper we study two possible approaches to improv- 
ing existing schemes for constructing hash functions that hash arbitrary 
long messages. First, we introduce a continuum of function classes that 
lie between universal one-way hash functions and collision-resistant func- 
tions. For some of these classes efficient (yielding short keys) composite 
schemes exist. Second, we prove that the schedule of the Shoup con- 
struction, which is the most efficient composition scheme for universal 
one-way hash functions known so far, is optimal. 



1 Introduction 

In the pursuit of efficient and provably secure constructions of practical cryp- 
tosystems several basic primitives have emerged as useful building blocks. Two of 
them are collision-resistant hash functions (CRHFs) and universal one-way hash 
functions (UOWHFs). In the complexity-theoretic sense UOWHF is a strictly 
weaker primitive than CRHF, because the latter is also the former but there 
is an oracle relative to which UOWHFs exist but not CRHFs |Si98) . Therefore 
it might be reasonable to base practical cryptosystems on a weaker primitive, 
which can be easier to construct. Also, since no unconditionally secure UOWHFs 
are known, the assumption that a particular family of functions is a UOWHF 
can be more plausible than the assumption of its collision-resistance. 

A UOWHF is a collection of keyed compressing functions {hk}k£K such that 
winning the following game is infeasible: The adversary chooses x, then receives 
a key k G K picked at random and wins if he can find y such that hk{x) = hk{y). 

A CRHF is a set of keyed compressing functions {fk}k£K such that for a 
random fc G AT it is infeasible to find x and y that satisfy fk{x) = fk{y)- 

In many applications it is convenient to have a family of UOWHFs or CRHFs, 
i.e., a collection of functions that map bit strings of different lengths into fixed 
length strings. The problem is to construct such a family given a single UOWHF 
or CRHF, which is typically the case when one begins with an off-the-shelf func- 
tion, for instance, MD5 or SHA-1. For CRHFs a widely used, provably secure and 
efficient method is the Merkle-Damgard construction EHlEHni- Surprisingly, 
this construction does not apply to UOWHFs ( [KR.97] gave a concrete example 
of a UOWHF on which the Merkle-Damgard construction fails). For building 
UOWHF families the best method known so far is due to Shoup phnn] . 

* Supported by NSF contract #CCR-9984259 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. lOfi- TrsTI 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 
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In this paper we study applicability of the Merkle-Damgard construction, 
introducing a continuum of primitives that lie between CRHF and UOWHF. 
Then we give an alternative proof of the Shoup construction and prove that this 
construction is optimal in some restricted model of computations. The optimality 
result is the major contribution of the paper. 



2 Motivation: 

Key Length of Different Composition Schemes 

The first application of UOWHFs in was to use them as a tool for 

constructing a signature scheme secure under the most general attack. How- 
ever, most practical signature schemes that follow “hash-and-sign” paradigm 
use UOWHFs or CRHFs in a different way. They take a message M of an arbi- 
trary length and hash it to obtain a constant length string, which is then fed into 
a signing algorithm. Many schemes use CRHF families to hash M, but as it was 
first noted in |BM7j a UOWHF suffices for that purpose. Indeed, if {hk}k£K is 
a UOWHF, then (fc, hk{M)), where k chosen at random, can be signed and still 
be as secure as the underlying signature algorithm. If the key length varies with 
the length of a message, the signing algorithm is applied to {hK'{k),hu{M)), 
where K' is part of the signer’s public key. Here function Hk' can be replaced by 
any second-preimage resistant function, because its input is random and chosen 
by the signer. Since messages can be very long, hashing speed is a crucial factor. 
Again, because a UOWHF is a weaker primitive than a CRHF, we may hope 
to find a more efficient algorithm that implements a UOWHF, thus speeding up 
the signature scheme. 

A closer look at this approach reveals that the key k must be part of the 
signature so the receiver can recompute the hash. Therefore the shorter the key 
the better. This is our motivation for studying different composition schemes 
that yield hash functions with a short key. 

The problem of composing a family of UOWHFs does not exist in case of 
CRHFs, since the Merkle-Damgard construction does not increase the key size. 
Ironically, if we consider two competing algorithms one implementing a CRHF 
and a more efficient one, which is supposedly a UOWHF, a signature scheme 
based on the CRHF can outperform a scheme that uses a family of UOWHFs. 

Among several composition schemes for UOWHFs pHMgThnn] the one with 
the smallest key expansion is due to Shoup |Sh00j . Characteristics of the Shoup 
construction are the following. Suppose that the starting point is a UOWHF that 
has key length I and compresses n bits to m bits. The composition scheme yields 
a family of UOWHFs such that a function that compresses N bits to m bits is 
keyed by m- log 2 |"iV/(n — m)] +l bits. The key length grows logarithmically with 
the length of a message. Schemes in [BR97L INY89j have the same asymptotics 
but a bigger constant factor. 

In Table Q] we give a concrete example of the signature length on messages 
of various sizes if we couple 1024-bit modulus RSA with either a CRHF or a 
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UOWHF. The UOWHF as in results from the Shoup construction applied 

to a keyed SHA-1 compression function, which hashes 672 bits to 160 bits. 



Table 1. Length of RSA signatures with 1024-bit modulus. 



Message length 


CRHF 


UOWHF 


\M\ = 1Kb 


Xi 

II 


\S\ = 1.81Kb 


1Mb 


1Kb 


3.22Kb 


1Gb 


1Kb 


4.87Kb 



3 Between CRHF and UOWHF 

The condition imposed on the round function by the Merkle-Damgard compo- 
sition theorem can be relaxed. We consider the Merkle-Damgard construction 
as a useful test that can be applied to function classes filling the gap between 
CRHFs and UOWHFs. We define these classes in the next section. 



3.1 Definitions 

CRHFs and UOWHFs enjoy different types of collision-resistance and their con- 
structions base on different assumptions. This adds to the impression that these 
two primitives have nothing in common. In fact, the only difference between 
them is in the degree of freedom that the adversary has in choosing one of the 
colliding elements. In case of a UOWHF, the adversary commits to x before 
he knows the key, while to defeat a CRHF the adversary is free to choose x 
afterwards. This difference can be easily quantified by specifying how many bits 
of X the adversary commits to before he knows the key. Qualitative differences 
between several variations of hash functions were demonstrated in |/M I9fl| . We 
shall see that the Merkle-Damgard construction may be extended to a class of 
functions that lie between CRHF and UOWHF. 

Definition 1 (class CKe^{rii — >■ rrii)). Let {{rii,mi,£i)}i^f^ be a sequence of 
non-repeating triplets of integer numbers such that 0 < rrii < rii and 0 < 
for any i. We say that a collection of keyed functions h\ \ {0, 1}"* — >■ {0, 1}™% 
where k € Ki, belongs to class CR^. (n^ — >■ nii) if no adversary can win the 
following game for infinitely many i in time poly(ni) with probability at least 
l/poly(ni): 

1. The adversary selects some xq G {0, 

2. Key k is chosen at random from Ki. 

3. The adversary selects Xi G {0, 1}^‘ and y G {0,1}"’ such that h}(a;i||a;o) = 

Kiy)- 

We call the ii bits that the adversary is free to choose the flexibility of a class. 
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\y 

= hk{y) 



Fig. 1. Function hk from CR^(n — >■ m). 



This definition subsumes the definitions of UOWHFs and CRHFs. The class 
of functions with zero flexibility, CRo(ni — >■ rrii), is the class of UOWHFs, where 
the adversary must choose in its entirety one of the colliding elements before he 
knows the key. On the other hand, functions with full flexibility, CR„^(rii — >■ rrii), 
constitute the class of CRHFs, since the adversary commits to nothing ahead of 
time. 

We may omit the index parameter i for the sake of notation brevity. It does 
not imply that we consider a single triple (n, m, i) (our asymptotic definition 
is inept in this setting), but that the subsequent arguments can be uniformly 
applied to the whole family of {(n.^, m^, For example, we can formulate 

and prove the following propositions without utilizing the index variable. 

Proposition 1. CR^j(n — >■ m) C GKi^{n — >■ m) if > 12- 

Proof. Because higher flexibility gives more power to the adversary, any set of 
functions that qualifies as CR^ ^ (n — >• m) also belongs to CR^^ {n ^ m). □ 



Proposition 2. A collision for a function from CR^(n — > m) can be found in 
(^^ 2 ™ax(m-^,m/ 2 )^ gyaluations of this function. 



Proof. Consider the birthday attack that applies to the flexible part of the input. 

□ 
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3.2 Merkle-Damgard Construction Applies to CR£(n — >■ m), 
where f. > m 

Suppose we have a family of functions € CR^(n — >■ m), where i > m. 

Merkle-Damgard construction with variable IV and r rounds (Merkle-Damgard 
construction for short) is an operator that takes a function hk and transforms 
it into a function MD''hfc: {Q, i— >• {0,1}"*. This function is built 

according to this rule: 

Merkle-Damgard construction with variable IV and r rounds 

1. Input X formatted as {xo,xi, . . . ,Xr) such that |xo| = m, \x\\ = ■ ■ ■ = \xr\ = 
n — m. 

2. Chaining variable Co is initialized as xq- 

3. For i = 1 to r let Ci = hk{Ci-\,Xi). 

4. Output of the function MD’’/ife(x) is C^. 




Fig. 2. r-round Merkle-Damgard construction. 



This is the usual Merkle-Damgard construction except that the initializing 
value (IV) is also part of the input. The following theorem proves that the 
construction works correctly on functions from the class CR^(n — >■ m), where 
i > m. 

Theorem 1. Suppose we have a family of functions G GKi^{ni — >■ 

mi), where C > tn,, and a sequence {rijigN such that ri < poly(rii). Then 
igN.fcGic is in the class CR^(ri • {ui — mi) -I- — >■ mi). 

Proof. Suppose that £, = mi. The case of £i > mi is treated analogously. Assume 
for contradiction that there is an algorithm A that wins the game described in 
Definition Q] for infinitely many i. We build an algorithm B that contradicts the 
fact that G CAi-^Ui — >■ mi). 

Fix some i. Denote the value A commits to on the first step of this game 
by a: = (a;i, . . . ,Xr). Choose 0 < j at random. Commit to Xj in the game 
played by B. 

Key k is chosen at random. Let A find xq and y = {yo, t/i, . . . , yr) that make 
a collision. Now MD’’*h}(xo| |a:) = MD’’*h}(y). With probability at least 1/r 



Hash Functions: From Merkle-Damgard to Shonp 171 



we have a collision on the application of the function h\. It means that 
h\.{Cj-i\\xj) = but Cj^i\\xj ^ C'j_i\\Vj, where Cj and C' are 

the chaining variables. If it is the case, B outputs a colliding pair Cj-i\\xj and 



c'-M- 



□ 



The fact that £i > rrii is crucial for the proof. Because the flexible part of the 
hashes’ input is longer than their output, the adversary does not need to commit 
to the chaining variable if he wants to use A to find a collision. The value of the 
chaining variable depends on the key and cannot be predicted ahead of time. It 
is where the proof breaks if we want to apply it to the case when £i < rrii. 

Note 1. In practice we want to have a CRHF or a UOWHF that takes as input 
any string of some bounded length and maps it to a fixed-length string. This 
is stronger primitive than a collection of functions each taking a fixed-length 
input, because it must be collision resistant (resp. be a UOWHF) across inputs 
of different length. It turns out that a collection of fixed-input length functions 
can be strengthened to allow a variable input length. We assume that the message 
is padded to a length divisible by the block size (n — m in case of the Merkle- 
Damgard construction) and the last block of the message uniquely encodes the 
message length before padding. This preprocessing stage was proposed in 
and discussed in |LM92j along with a definition of a free-start attack. Theorem [D 
can be generalized to hold for this strengthened construction f jljM92) proved the 
theorem for families of pure CRHFs and UOWHFs). 

3.3 Boundary 

Because there is a complexity-theoretic jump between CRHFs and UOWHFs, 
we may expect to observe at least one such a jump in the sequence of classes 
CRo(n — >■ m) U • • • D CR„(n — >■ to). The following theorems show that this is 
indeed the case and there are two classes of complexity-theoretic equivalence. 
The boundary between them coincides with the limit of validity of the Merkle- 
Damgard construction lSection [3.2ll . 

We recall that UOWHFs are one-way functions and can be built from a family 
of one-way functions . This also implies existence (via black-box construc- 

tions) of other cryptographic primitives such as secure signature schemes IlN YS9I . 
pseudo-random generators !HILL99j . telephone coin flipping and bit com- 
mitment protocols jNSH. proved that there is no black-box (relativizing) 

construction of a CRHF based on a UOWHF. In our terminology it means 
that there is no unconditional construction of CR„(n — >■ to) given access to 
CRo(n — >• to) as a black-box. 

Theorem 2. CRm-o(iogn)(’^ is non-empty if and only if CRHFs exist. 

Proof. The adversary playing the game from Definition Q may choose values for 
O(logn) bits randomly. His probability of success drops in this case by a factor 
of = poly(n). Therefore CRm_o(iogn)(n — >■ to) = CRm(u — >■ to). 
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Since CRm{n — 1 m) 3 CR„(n — >■ m) by Proposition^ the “if” part is trivial. 
Suppose we have a S CRm(n — l m). Define gk- {0, H> 

{0, 1}"* for any k G K as follows. Suppose that gk takes two arguments — a 
single bit b and x, which is m-bit long. Let 

gk{b,x) = hk{x\\ 3 )■ 

n—m times 

We claim that {gk}keK € CRm+i(m + 1 — >■ m), i.e., it is a CRHF family. 

Assume the opposite. There is an efficient algorithm A that for a random 
k finds a collision gk{bo,x) = gk{b\,y). Wlog we may assume that 6 q = 0 with 
probability at least 1/2. We want to show that {hk}k^K 4- CKm{n — ?> m). In 
order to prove it we build algorithm B that wins the game from Definition Q as 
follows: 

step 1. Commit to 0"“"*. 
step 2. Get k G K. 

step 3. Run A to find a collision gk{bo,x) = gk{bi,y). If 6q = 0 proceed to 
the next step, otherwise the algorithm fails, 
step 4. Output as a collision for hk- 

The output of B is indeed a collision, since 

hk{x\\0^-”^)=gk{x,0) = gkix,bo)=9k{y,h) = hk{y\\bm 

and, because bo\\x ^ bi\\y, these two elements of the domain of hk are different. 
The success probability of B is at least one half of the success probability of A. 

Notice that gk{0,x) and gk{l,x) is a pair of claw-free pseudo-injections 
(see [IR,u95j l. □ 



Theorem 3. CR^_^n(i)(n — >■ m) is not empty if and only if UOWHFs exist. 

Formally, if some CR^j(ni — >■ m^) is not empty, then UOWFlFs exist. If 
UOWHFs exist, then for any £{m) : N i— >■ N, such that m — i{m) > ml for some 
0 < c < 1, a non-empty class — >■ rrii) exists. 

Proof. Since CRo(n — >■ m) D CR^(n — >• m), the “only if” part is trivial. 

Suppose UOWHFs exist. Take {hk}keK € CRo(n — >■ m). Then for any £ < 
poly(n) we may define gk : {0, 1}’^+^ {0, 1}’"+^ as 

9k{x,y) = y\\hk{x), 

where \y\ = £ and |x| = n. We claim that {gk}ksK € CR^(n -\- £ ^ m-\- £). 

Indeed, if there is a collision 9k{xo,yo) = gk{xi,y{), then j/o = Vi and 
hk{xo) = hk{xi). Note that yg is the flexible part of the input and a;o is the 
part that the adversary commits to before he knows the key. The adversary 
works poly-time in n-\-£. Since £ < poly(n), the adversary’s running time is also 
polynomial in n. Therefore the same adversary can be used to break UOWHF- 
ness property oi {hk}kaK- 
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Suppose we are given a family of UOWHFs & CRo(n' — >■ m'). 

For every to' there is some to, such that to°/2 < to' < to° < to — £(m). The 
construction above with i = m — < (2to')^/" < (2n' )i/c = poly(n') yields 

a collection of functions from CR^(n' + £ — >• to' + €) = CR^(n' + £ — )> rrii) C 
f t rrii). The last inclusion is because £ = to — to' > £{m) and by 
Proposition □ 



(CRHFs = CR„ (n-^m) C ... 

£= CR„j_Qpog m) (u ^ to) ^ . . . — m^O) ^ ^ ■ 



C CRo(n to) = UOWHFs 



oracle separation 



Fig. 3. Hierarchy of classes. 



Theorems 0 and 0 show that there are two classes of complexity-theoretic 
equivalence of classes CRf(n — >■ to) (Figure I3- One contains CRHFs and all 
CR£(n — >■ to) for £ > to— O( logn), the other one spans classes between UOWHFs 
and CR^(n — >■ to) for £ < to — The following note eliminates the gap 

between them. 

Note 2. The claim of TheoremOlcan be improved if we assume that n < poly(TO) 
and CRo(n — t to) has “ideal” security 17(2™) as in Proposition 0 With these 
assumptions there is no gap between the two theorems and there are only two 
classes of equivalence. 

4 Optimality of the Shoup Construction 

gave an example of a UOWHF on which the two-round Merkle-Damgard 
construction fails. Since we want to build UOWHFs the same way we build 
families of CRHFs, i.e., starting with a keyed function that has fixed-length in- 
put, other constructions have to be studied. The most efficient among different 
composition schemes that have appeared in the literature is the Shoup construc- 
tion. We give an alternative proof of its correctness, which is technically simpler 
than in |Sh()()| and conceptually better matches our main result, the proof of its 
optimality. 
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4.1 Shoup Construction 

The Shoup construction (see Figure 0 can be viewed as an extended Merkle- 
Damgard construction, where the chaining variable is XORed with some mask 
on each iteration. Because these masks are reused, the key length grows loga- 
rithmically with the size of the message. 




Fig. 4. 7-round Shoup construction. 



Formally, the r-round Shoup construction is an operator that takes function 
hk'. {0, 1}" I— >■ {0, 1}™, bit-vector M with length Lm > m[logrJ, which is for- 
matted as L masks M = {Mq, . . . , Mr-i), and transforms it into a function 
S'^'^hk : {0, i}r-(n-m) |Q^ 1}™. This function is built according to this rule: 

r-round Shoup construction 

1. Input X formatted as {x \, . . . , Xr) such that |a:i| = • • • = |a;r| = n — m. 

2. Chaining variable Co is initialized as IV. 

3. For i = I to r let Ci = hk{Ci-i © M^^^-j,Xi), where the auxiliary function 
iy{i) is the highest power of 2 that divides i. 

4. Output of the function S^'^hk{x) is Cr- 

We defer the proof of correctness of this construction to Section Ol 



4.2 Optimality of the Shoup Construction 

The Shoup construction achieves its short, compared to other constructions, key 
length of the composite scheme by reusing the bit-masks. A legitimate question 
is whether the masks can be reused even more. In this section we give a negative 
answer to this question. We prove that the Shoup construction really reuses 
masks as much as possible in the strongest sense. 

Definition 2. A generalized r-round Shoup construction is the Shoup 
construction as described in Section n~n but with function v, which selects a 
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mask to use on every iteration of the construction, being any function that 
maps [1, . . . , r] to [0, . . . , L — 1]. Function v is the schedule of the construction. 
The construction is valid if it transforms any UOWHF family into a UOWHF 
family. 

The Shoup construction instantiates the function v{i) = max{j: 2^i}, so 
L = [log rj + 1. A schedule is optimal if L is minimal for a fixed r. The following 
theorem says the Shoup scheduling is optimal for all r. 

Theorem 4. For any valid generalized r -round Shoup construction r < 2^ . 

Proof. The proof consists of two steps. First, we show that any schedule of a 
valid construction must be even-free (defined below). Second, we prove that any 
schedule with r > 2^ is not even-free. 

Definition 3 (even- freeness property). We say that a schedule v is even- 
free if for any a and b, such that 1 < a < 6 < r, there is some 0 < f] < L, such 
that the number of times i>{c) takes value rj for a < c < b is odd. In other words, 
there is no sub-interval that contains every mask an even number of times. 



Lemma 1. Any valid schedule v is even-free. 

Proof. Suppose there is a non even-free schedule v of some valid r-round general- 
ized Shoup construction. We build a UOWHF family on which this construction 
fails, thus contradicting validity of the construction. 

Assume that gt : {0, 1}” >->■ {0, 1}™ is a UOWHF, 2m -\-2 <n and k € K = 
{0, 1}™. Of course, if UOWHFs do not exist, then every construction is valid 
but the problem itself is moot. If we have some UOWHF family, by adding an 
additional argument to its input that gets replicated to the output we can ensure 
that 2m -\-2 < n. The size of the key space can be adjusted similarly. We define 
function hk ■ {0, 1}” >->■ {0, 1 } 2™+1 gg follows: 

{ gk(y, z,b,x)\\z\\l ii x ^ and z ^ k 
gk{y,z,b,x)\\k\\l if a; = O' and z yf fc 
iiz = k, 

where |y| = \z\ = |fc| = m, 6 is a bit and |a;| = / = n — 2m — 1 > 1. As usual, we 
omit the index i of the family of UOWHFs, assuming that the construction of 
hk and the proof below apply uniformly to all functions of the family. 

We claim that hk is a UOWHF. Indeed, a collision hk{y, z, x) = hk{y', z', x') 
also yields a collision gk{y,z,x) = gk{y',z',x') unless z = k and z' = k. Proba- 
bility that the adversary hits z = k before he knows k is negligible. 

If iz is not even-free, there is a sub-interval [a, 6] that contains each mask 
an even number of times. We exploit this property to find a collision with a 
previously committed value. 
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The composite scheme takes as its input x = {x\, . . . ,Xr), where \xi\ = I = 
n — 2m — 1 for all i. We claim that the following x and x' collide: 

a times r — a times 
a — 1 times r — a times 

Denote the input of hk on the iteration of the composite scheme by 
(t/i, Zi,bi,Xi) and (y', z', 6', x^) for the inputs x and x' respectively. Format masks 
Mi = where = m, = 1. By definition 



of hk we may compute Za, ... ,Zb and . 


. . ,z'b as follows: 


Za = k © 


< = k © 


Za+1 = Za © 


^a-K = © -^1(1+1) 


Zb = Zb-1® 


z'b = z'b_i ® 



Therefore, 

zb = z', = k® • • • © . 

Since every mask appears between a and b an even number of times, all masks 
XOR themselves out and 



Zb = z[ = k. 

If Ci{x) and Ci(x') are the chaining variable of the composite scheme evalu- 
ated on X and x' , 



Cb{x) = hk{yb,k,bb,Xb) = 0^'^+\ 

Cb(x') = hkiy'b, k, b'b, x'b) = 0 ^™+^ 

by the third case of the definition of hk- 

Since x and x' agree after their component, the output of the composite 
scheme will be the same on both inputs. □(Lemma 



Lemma 2. If schedule is even-free, then r <2^ . 

Proof. Assume the opposite. There is an even- free schedule ly with r > 2^. 

Let ffa,b{i) be a function that counts the number of appearances of the i**' 
mask between i/(a) to v(h) inclusive. 

Define a sequence of bit- vectors d® = (#i,i(0) mod 2, . . . , ^(L— 1) mod 2). 

Each vector has length L. Because the schedule is even- free, none of these vectors 
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is (0, ... ,0). Therefore, there are r > 2^ L-bit vectors and one of 2^ possible 
values is not available. By the pigeonhole principle there are two equal vectors 
d°‘ = (fi among them. Consider their difference. 

d'’ - = (0, . . . , 0) 

= ((#i,b(0) - #i,a(0)) mod 2, . . . , (#i,f,(T - 1) - #i,a(^ - 1)) mod 2) 
= (#a+i,b(0) mod 2, . . . , #a+i,b{L - 1) mod 2). 

Because of the interval [o + 1,6] the schedule function is not even- free. 
□ (Lemma 13) 

From lemmas [0 and 0 the theorem follows. □ 



Note 3. It is instructive to see why the Shoup scheduling v{i) = max{j : 2^\i} 
is even-free. In any interval [a, 6] there is a unique element c that maximizes v. 
Indeed, if there were two such elements Ci and C 2 , necessarily zz(ci) = v{c 2 ). 
But then the element c = (ci -I- C2)/2 would be divisible by a higher power of 2. 
Existence of an element that appears only once, i.e., an odd number of times, in 
every interval is enough for even-freeness. 

Note 4- What if one uses addition modulo 2™ instead of XOR to mingle a mask 
and a chaining variable? If this operation is commutative and has an efficiently 
computable inverse, then the proof goes through with minor modifications. Hav- 
ing an inverse is required for our proof of the Shoup construction (below. Theo- 
rem EJi, but being commutative is not necessary. 

4.3 Correctness of the Shoup Construction 

In this section we give an alternative proof of the Shoup construction. It is 
different from P^Thlnj in presentation of the key reconstruction algorithm. 

Theorem 5. If {hk}k€K is a UOWHF, so is hk}k(^K,\M\=m(\\ogr\+i) for 
r < poly(n). 

Proof. Suppose that there is an adversary A that finds a collision of S'^'^hk with 
a non-negligible probability over the key of the composite scheme. We build an 
algorithm B that finds a collision in {hk}k^K- Let Sj{x) = Cj_i 0 — first 

m bits of the input of hk on the j**' iteration of the scheme on input x. 

Algorithm B 

1. Run A. A commits to some x = (xi, . . . ,Xr). 

2. Choose randomly j from {1, . . . , r} and an m-bit string C G {0, 1}"*. Commit 
to C\\xj. 

3. Receive a key k G K. 

4. Run the key reconstruction algorithm (described below) that will output M 
such that Sj{x) = C. 

5. Feed k and M to A. 
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6. If ^ finds a collision x' = {x[, . . . ,x'^), check if Sj{x)\\xj yf Sj{x')\\Xj and 
hk{Sj{x)\\xj) = hi^{Sj{x')\\Xj). If so, output Sj{x')\\xj that collides with 
C\\x,. 

Suppose that the output of the key reconstruction algorithm on uniformly dis- 
tributed C with fixed x,j and k also has the uniform distribution. Then the 
probability that B finds a collision is 1/r of the success probability of A. Indeed, 
if A finds a collision, there is at least one i G {1, . . . jt} such that S'i(cc)||xi ^ 
Si{x')\\x'j^ but hk{Si{x)\\xi) = hk{Si{x')\\x'^) (consider the output of each it- 
eration of the scheme going backward). This contradicts the assumption that 
{hk}k£K is a UOWHF. From this the claim of the theorem follows. 

Now all we need is to show and prove the key reconstruction algorithm. 

Key reconstruction algorithm 

Input: X = {xi, . . . , Xr), k e K, C e {0, 1}™. 

Output: M = (Mo , . . . such that Sj(x) = C. 

1. Label all masks Mg, . . . , as “undefined.” 

2. Repeat the following steps while j > 0. If j = 0, randomly define all unde- 
fined masks and quit. 

3. Let i = 

4. Pick D at random from {0, 1}"*. 

5. Randomly define all yet undefined masks from the list . . . , 

6. If * = 0, let Co = IV, otherwise let Ci = hk(D,Xi). Compute = 

^k ® Ci , ) , ... ,Cj — i hk (Mjj(^j_y 0 Cj — 2 j ^j—1 ) ■ 

7. Let = Cj—\ 0 C. 

8. Assign C D, j i and go to step|21 

First, note two invariants of the algorithm. 

Invariant 1. v(i) > v(j). 

Invariant 2. v(j) > v(l) for any i < I < j. 

Both invariants follow from the fact that j = (mod 

To prove the correctness of the algorithm we need to show that a mask is 
never redefined. Masks are defined in three steps of the algorithm. In steps 0 
and 0 only undefined masks are assigned random values. By Invariant 2 their 
numbers are less than v(j). In stepQmask is defined. Because v(j) always 

increases (by Invariant I) and masks that have been defined have numbers less 
than v(j), before execution of this step was not defined. 

Since Ci, . . . , Cj-i computed in stepElof the algorithm are indeed the values 
of the corresponding chaining variables, Sj(x) = Cj-i 0 = Cj-i 0 Cj-i 0 

C = C as required. It completes our proof of correctness of the key reconstruction 
algorithm. 

As the last step toward the proof of the theorem we have to show that the 
bit- vectors M output by the algorithm have the uniform distribution. Write 
down all the “decisions” (strings chosen at random) done during the execution 
of the algorithm (including its input C). It is a list of type C, S'jj(x), 

. . . , Sj^ (x), . . that contains exactly L 0 1 m-bit 

string (because all strings are equally long, and every mask must be defined in 
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steps 013 or|2|. Since the algorithm never stops without yielding a result, there 
is a mapping from the set of these strings into the set of possible outputs, which 
has the same cardinality. This mapping is an injection, because a preimage of 
an output value can be uniquely determined (it suffices to compute Sj{x) for all 
corresponding j given M, k and x, which is trivial) . Therefore, if the “decisions” 
are uniformly distributed, so are the outputs of the algorithm. □ 



Shoup proved the security of the construction above. Our proof makes the 
key reconstruction algorithm more explicit and one-pass, thus giving a more 
efficient reduction, and requires less from the function v (we do not need Fact 
2 in jshfinj v The operation performed by the key reconstruction algorithm in 
step 0 brings in Theorem 0 The mask for i = j — is the only mask 

that appears an odd number of times between and its previous appearance 

(if there exists one) at 

We stress that our result of optimality of the Shoup scheduling does not rule 
out existence of a composite scheme with a shorter key. Even more important, 
our result implies that there must be at least 1-1- [log rj different masks, but says 
nothing about their independence. However, the proof of validity of the Shoup 
construction does need full independence of masks. There is an apparent gap 
between these two proofs. 

We may try to reduce the key length by letting the masks be the output of a 
pseudo-random generator initialized with a short seed. Unfortunately, once the 
seed is exposed we cannot suppose anything about the output of the generator 
unless we resort to the random-oracle model. But in this model one could assume 
existence of CRHFs in the first place and our construction would be of no use 
in this world. 

5 Conclusion and Open Problem 

Recent attacks on MD4, MD5 and a flaw in the first version of SHA demon- 
strate that practical CRHFs are hard to construct. The oracle separation result 
due to [Si98| backed up this empirical fact by proving that CRHFs cannot be 
constructed from one-way permutations. Though UOWHFs, an alternative to 
CRHFs, have been known for years, their deployment in practical cryptosys- 
tems was hindered by lack of efficient composite schemes. While a family of 
CRHFs can be based on a single compression function, similar constructions 
for UOWHFs can only yield families of functions with variable key length. A 
variable key-length hash function stands out from all cryptographic primitives 
we use in practice and this annoying property can propagate to higher levels of 
construction (see for an example). 

We may approach this problem from two directions. First, it is possible that 
there exists a class of functions that are weaker than CRHFs, at least as strong 
as UOWHFs and for which an efficient composite scheme exists. We introduce 
a continuum of function classes that lie between CRHFs and UOWHFs and 
characterized by the degree of freedom the adversary has in choosing one of the 
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colliding elements. From the complexity-theoretic point of view the hierarchy 
almost collapses to two large classes. The Merkle-Damgard construction, which 
yields fixed length-key families of functions, applies to one class of functions and 
not to the other. 

Another approach is to improve existing composite schemes for UOWHFs. 
We take the Shoup construction, which is the most efficient (key length-wise), 
and prove that the scheme is optimal in respect to its mask scheduling. We also 
give a simplified proof of the Shoup construction. 

An open problem is whether there exists a lower bound on the key length of a 
family of UOWHFs built via a black-box construction out of one-way functions. 
The upper bound given by numerous schemes from (nnnziEEiini is O(logn), 
where n is the length of the input to a particular function. Such a lower bound 
would complement the line of research of |KSTfifinmrmj on efficiency of black- 
box constructions for UOWHFs. 
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Abstract. NTRU is a fast public key cryptosystem presented in 1996 
by Hoffstein, Pipher and Silverman of Brown University. It operates in 
the ring of polynomials Z[A]/(A^ — 1), where the domain parameter N 
largely determines the security of the system. Although N is typically 
chosen to be prime, Silverman proposes taking A to be a power of two to 
enable the use of Fast Fourier Transforms. We break this scheme for the 
specified parameters by reducing lattices of manageably small dimension 
to recover partial information about the private key. We then use this 
partial information to recover partial information about the message or 
to recover the private key in its entirety. 



1 Introduction 

NTRU is a fast public key cryptosystem that operates in the ring of truncated 
polynomials given hy 1\X]/ {X^ — 1), where the domain parameter N largely de- 
termines the security of the system. Typically N is chosen to be a prime number 
(not for security reasons, but because having N prime maximizes the probability 
that the private key has an inverse with respect to a specified modulus PH). Re- 
cently, however, Silverman has proposed taking A to be a power of two to allow 
the use of Fast Fourier Transforms when computing the convolution product of 
elements in the ring HS|. 

In this paper, we present lattice-based attacks that are especially effective 
when N is composite. We show how to use low-dimensional lattices to find a 
folded version of the private key, where the folded private key has d coefficients 
with d dividing N . This folded private key can be used either to obtain a folding 
of the plaintext message, or as partial information to help us recover the entire 
private key. Using this attack, we were able to recover entire private keys for the 
NTRU-256 scheme proposed by Silverman in an average of about 3 minutes. 



2 Notation 

We denote the ring of integers by Z, and the ring of integers modulo q by Z^, 
which are taken in the interval (— f, §]. The polynomial ring Zg[A']/(A” — 1) 
contains all polynomials with degree less than n and coefficients in Z^. The 
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inverse of a polynomial / G Zg[A']/(Al” — 1) is denoted by A polynomial 
may be described as a row vector: 

n— 1 
1=0 

Concatenation of / and g is denoted by (f,g)- The convolution f * g oi two 
vectors is analogous to ordinary polynomial multiplication over Z[Al]/(Ai" — 1): 

{f*g)k= ■ 

— k mod n 

When d divides n, the d-dimensional folded version of / is defined by: 

0 < 2 <n 0 < 2 <n 0 < 2 <n 

f(d) = i H • 

2=0 mod d i—1 mod d i—d—1 mod d 

In algebraic terms, /(d) may be described as the image of / under the canonical 
mapping from Z[Al]/(Ai" — 1) to 'L\X\j(X'^ — 1). The *th term of /(d) will be 
denoted f[d),i- The circulant matrix associated with / is given by F, where: 

^ij fj — i mod n • 

Fi will denote the tth row vector of F. T’(d) will denote the circulant associ- 
ated with /(d), and T’(d),i will denote its ith row vector, /(d) will refer to the 
d-dimensional identity matrix. 

3 The NTRU Cryptosystem 

Public Parameters. The basic objects of the NTRU Cryptosystem are poly- 
nomials from the ring — 1), where N is a public parameter. Also 

public are two moduli, p and q, with g.c.d.(p, q) = 1 and p q. For example, 
{N, p, q) = (167, 3, 128) has been proposed as a high security parameter set jZj. 
Additional public parameters include Sf, Sg, Sm, and S^, which describe the 
space of allowable polynomials for private keys / and g, the plaintext message 
TO, and a random polynomial that the sender uses in encrypting the message. 
These spaces are designed to limit /, g, to, and 4> to vectors that have short 
Euclidean length (in practice, less than '/N) and that typically are also very 
short in the Zoo-norm — i.e., the magnitudes of the individual coefficients are 
typically very small in relation to q. For example, in NTRU-167, Sf might limit 
/ to those polynomials having exactly 61 coefficients equal to 1, 60 coefficients 
equal to -1, and 46 coefficients equal to 0 |Zj. Sm always restricts the coefficients 
of TO to Zp. 

Key Creation. Choose random f G Sf and g G Sg. Compute f~^ and publish 
the polynomial 

h = fq^*g (mod g) 

as the public key. Both / and g are private, with / serving as the private key. 
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Encryption. Choose random (j) in S(f, and compute the ciphertext: 

e = m + p(j)*h (mod q) . 



Decryption. Compute 

f*e = f*m+p4>*f*h (mod q) 

= f*m+pcj)*g (mod q) , 

where the second equality follows from the definition of h. Assuming Sf, Sm, 
S^, and Sg are chosen wisely, such that the coefficients of /, m, (j), and g are 
very small in relation to q, then, with high probability, we get 

f * m + pcj) * g (mod q) = f * m + p4> * g , 

which is to say that reduction modulo q has no effect. This is because the co- 
efficients oi f * m + p 4> * g, with high probability, already lie in (— f , |] before 
reduction modulo q. Possessing the unreduced value of / * m -|- p<f> * g, we can 
compute 



f * m + p(f> * g (mod p) = f * m (mod p) , 

and then 

fp^ * f *rn (mod p) = m (mod p) . 

4 Previous Lattice Attacks on NTRU 

Lattice attacks on NTRU (including our attack) have focused primarily on the 
following “key recovery” problem: find the private key / using only the public 
key h and public information about how / and g are chosen {Sf and Sg) El By 
the definition of h, we know that f * h — g (mod q), but this information alone 
is clearly insufficient to recover /. Indeed, the set of pairs u,v G that satisfy 
u* h = V (mod q) is an additive abelian group of infinite cardinality. Even if we 
limit ourselves to pairs u,v G Z^, we are still left with q^ distinct {u,v) pairs 
corresponding to the q^ distinct values that u can assume. How do we find the 
pair {f,g) from among these q^ possibilities? 

We know that, to enable error-free decoding, the coefficient vectors of / and 
g each have short Euclidean length (less than '/N in current NTRU implementa- 
tions). They are considerably shorter than the typical “random” fV-dimensional 
vector with coefficients in Zg , which has an expected length of more than | \/]V. 

^ Non-lattice-based cryptanalysis of NTRU includes a meet-in-the-middle attack 
found by Odlyzko IE] and a chosen-ciphertext attack presented by Jaulmes and 
Joux 0, which exploited NTRU’s inappropriate use of OAEP-like padding. We un- 
derstand that NTRU now uses the hybridization method presented by Fujisaki and 
Okamoto |2] to obviate chosen-ciphertext attacks. 
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Also, one can show that it is extremely unlikely that the abelian group gener- 
ated by a “randomly” chosen h' has a (u,v) pair as short as (f,g)u These facts 
may lead us to hypothesize that (/, g) is, in fact, the shortest nonzero vector 
(u,v) S such that u* h = v (mod q). If this hypothesis is true, and if we 

can find an efficient way to find the shortest vector belonging to the group of 
{u, v) pairs, we can recover the private key. This provides the motivation for 
representing the group of ( m , v) pairs as a “lattice,” and then using “lattice basis 
reduction.” 

A “lattice” is a discrete additive subgroup of R.". For example, Z" is a lattice. 
Also, the set of {u,v) pairs is a lattice, being an additive subgroup of Z^-^. 
An equivalent, but more concrete, definition is that a lattice L consists of all 
integer linear combinations of some set of m linearly independent vectors B = 
{bo, &!,..., bm-i}, bi S M”. Here, m is the “dimension” of L, and B is called a 
“basis” of L. The basis B can be compactly represented by an m x n matrix 
where the ith row is the “basis vector” bi, in which case L consists of the vectors 
that can be expressed as integer linear combinations of the rows of B. Bases for 
a lattice are not unique, but are related by unimodular transformations — i.e., if 
U is an integral mxm matrix with determinant ±1, then UB is an equally valid 
basis for L. Typically, the goal of “lattice basis reduction” is to find a basis 
for L in which the basis vectors are as short as possible (usually in the Euclidean 
sense), with the basis vector 6 q being the shortest nonzero vector in the entire 
lattice (allowing for possible ties) . 

Coppersmith and Shamir [Q give us the following explicit basis for the lattice 
of (it, v) pairs (recall that H denotes the circulant matrix corresponding to the 
public key h): 



Lcs 



I(N) H 

0 qI{N) 



To see that any pair (it, i;) G 1?^ for which u*h = v (mod q) is contained in the 
lattice generated by Lcs, let a G Z^ be such that u * h = v + qa. Then, if we 
left-multiply Lcs by (it, —a), we obtain (it, v). Asa consequence, the private key 
pair (/, g) is an integer linear combination of the rows of Lcs- If (f, g) is actually 
the shortest vector in the generated lattice, as we have reason to believe^ then 
an “SVP-oracle” — a magical device which gives us the answer to the “shortest 
vector problem” in a reasonable (polynomial) amount of time — would give us 
the private key when given Lcs as input. 

For the attacker, the problem is that actual lattice basis reduction algorithms, 
such as LLL and its variants, do not behave like SVP-oracles. The original LLL 
algorithm terminates in time polynomial in the dimension n of the lattice, but 
it is only guaranteed to find a vector that is no more than times — 

2(2AT-1)/2 

in the case of Lcs — as long as the shortest vector. Obviously, 
such an algorithm is useless to us, considering that it is trivial to find vectors 
only about | times as long as {f,g), as suggested above, and even these are 
far too long to be useful for decryption. Variants of LLL exist that find shorter 

^ See Annendix lA.Il 
® See Anneridix lA.Il 
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vectors, but they naturally have greater time-complexity. In particular, Schnorr 
defines a family of LLL-variants whose performances depend on a parameter 
called the “blocksize.” Little is known about the average-case complexity of 
these variants, but it appears, based on numerous experiments by the authors 
of NTRU using Shoup’s NTL library 0, that the time necessary to find (/, g) 
in the lattice grows at least exponentially in N (because the block size required 
for LLL to find (/, g) grows roughly linearly in 0, and the running time of 
LLL is exponential in the block size m)- The authors of NTRU estimate that, 
for N > 90, it takes current lattice reduction algorithms e '^ 002 N -7.608 seconds to 
find (/, g) on a 400 MHz machine, which translates into 4.607 x 10^"'^ MIPS-years 
to break NTRU-263 P|E 

5 Cryptanalysis of NTRU-Composite 

The problem with previous lattice-based attacks is that the dimension of the 
lattices involved is too high, given that the running time of LLL to return the 
target vector of these lattices is empirically exponential in the lattice dimension. 
Ideally, we would like to construct much smaller (and more easily reduceable) 
lattices whose shortest vectors contain at least some useful cryptanalytic infor- 
mation. We can do this if N is composite. 

Theorem 1. Let N be composite, and d be a nontrivial divisor. The mapping 
e : Z[X]/{X^ - 1) ^ Z[X]/(X'^ - 1) given by 

0{f) = fid) 

is a ring homomorphism. 

Although this is a basic algebraic result, arising from the fact that {X'^ — 1) 
divides (X^ — 1) when d divides N, we prove multiplication in a concrete fashion. 

Proof. 

0<i<N 

9{d),k = 9i 

i—k mod d 

0<i<N / 0<x,y<N 

= E E 

i—k mod d \x-\-y—i mod N 
0<x,y<N 

= fxhy 

x-\-y—k mod d 

0<v,w<d / / 0<a::<A^ \ / 0<y<A^ 

= E E E 

v-\-w—k mod d \ \x—v mod d / \y—w mod d 

^ Refinements to Lcs by May 0 have made it possible to recover an NTRU-107 
private key in 12 to 24 hours on a single 400 MHz machine cni- but do not seriously 
affect the security estimates for higher security levels, such as NTRU-167 0. 
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O^v ,w<.d 

f(d),vh{d),' 

v-\-w—k mod d 



This gives us /(d) * h(d) = g{d), which is what we wanted. □ 



5.1 A Smaller Version of Lcs 



With the equation /(d) * /i(d) = 9{d) in niind, we construct the following 2d- 
dimensional analog of Lqs (recall that 71(d) is the circulant corresponding to 
h(d))' 



L(d) 



1 (d) H(^d) 
0 ql(d) 



This lattice contains the vector {f(d), 9 (d))- Notice that if N/d is not too large, 
then the smallness of the coefficients of / and 9 ensures that the coefficients 
of f(d) nnd 3 (d)) each of which is a summation of N/d coefficients of / and g 
respectively, are also small. Assuming {f(d)i 9 {d)) is the shortest vector in T(d)> 
we can find it using lattice reduction. We can then recover significant partial 
information about the private key by reducing a lattice whose dimension is only 
a fraction of the dimension of the lattice generated by Lcs- 

In Appendix El we give a tight upper bound on the length of {f(^d)i 9 {d)) 
and show that, assuming / and g are “random” in a specified way, the expected 
length of (/(d) , 5(d)) is equal to the length of (/, 5) (once certain modifications are 
made to these vectors). This leads us to conclude that, at least when d > \/~N, 
{f(d)i 9 (d)) is almost certainly the shortest vector in L(d) for the same reasons 
that (/, 5) is almost certainly the shortest vector in Lcs- 

Remark: In the discussion above, we have limited our focus to homomor- 
phisms of the form 9 : 1\X\j(X^ — 1) — >■ — 1) and the folded lattices 

derived therefrom, but this need not be the case. More generally, we could con- 
sider homomorphisms of the form a : T,q\X]/{X^ — 1) — >■ Zg[A]/s(A) given by 
Q^(/) = /+ < s{X),q >, where s(A)t(A) = \x^ — 1) (mod q) for some t{X). 
However, such homomorphisms appear to be useful only when (a{f),a{g)) is a 
short vector that can be found using lattice basis reduction, and {a{f),a{g)) is 
always short only if s(A) is an extremely short vector, preferably with a minimum 
of high degree coefficients (e.g., {X‘^ — 1)). Useful alternative homomorphisms 
therefore appear to be rare. 



5.2 Message Attacks 

Once we find /(d), we can make immediate use of it to recover the folded plain- 
text. Since folding is a ring homomorphism, we get: 

f(d) * 6 (d) = f(d) * m^d) +p(/(d) * /(d) * h(d) = f(d) * rri{d) +P<('(d) * 5(d) (mod 5 ). 

We then proceed through the steps of decryption in the usual way until we 
obtain m(d). If N/d = 2 , for example, knowing m(d) is tantamount to knowing 
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mi + rriij^d for 0 < i < d, where the rrii are coefficients from the original plaintext. 
This could be useful information. 

However, folding entails an increased likelihood of decryption errors, since 
the expected magnitudes of the coefficients of /(^) * rri(^d) +P4>{d) * 9{d) are larger 
than those oi f*m+p(f>*g hy a, factor of y/N/d. So, this message attack appears 
to be practical only for very small values of N/d. 



5.3 Key Recovery Attacks 

Alternatively, we can use f(^d) to help us recover /. The basic concept behind 
this attack is the Chinese Remainder Theorem, which tells us, for example, 
that / is completely determined by the values of / (mod X‘^ — 1) and / (mod 
{X^ - 1)/(A^ - 1))B Instead of using the lattice corresponding to / (mod 
{X^ — 1)/{X'^ — 1)), however, we use a different lattice with a shorter target 
vector. 

Supposing, for example, that N/d = 2, we obtain linear equations of the form 
fi+d = f{d),i - fi, so that we have 

/ = (/oj fl, ■ ■ ■ , fd-l,f{d ),0 — fo, /(d), 1 — /ij • • • J /(d), d-l — /d-l)- 
Recall that in the lattice generated by Lcs, the target vector 



N-l 

if,9) = d) , 

i=0 

where (Ii,Hi) denotes the concatenation of the zth rows of the identity matrix 
and the circulant H . Using the dependencies in /, we obtain 



d—1 d—1 d—1 

fi{^i-\-d: T ^ ^ /(d),z(.^ 2 +d; .^ 2 +d) (mod q') 

2 — 0 2 — 0 2 — 0 

d-l d-l 

^ ^ ^i-\-df .^ 2 +d) T ^ ^ /(d),z(-^ 2 +d; ^i+d/) (mod . 

2=0 2=0 

Notice that we already know all of the terms in the second summation; let 
(s, t) be this known vector. If we denote by u the d-dimensional vector with 
coefficients equal to the first d coefficients of /, then (it, g) is in the following 
{N + d + 1) X {N + d) lattice: 



L 



ug — 



_0 t 

l{d) -ff(Ar),i — -ff(AT),2+d 

0 qI{N) 



® More generally, / is determined by {/ (mod si), / (mod S 2 ), . . ., / (mod Sz)}, 
Q ^ Si £ Z[A], when {k{X)){X^ — 1) = L.C.M.{si, S 2 , ■ ■ ■ , Sz) (mod q) for some 
k{X) € Z[X], 
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where ~ is a, d x N matrix formed by pairing rows, and the 

top third of the lattice consists only of a single row. Now, if we wish, we may 
discard the last d columns, obtaining a {2d+ 1) x (2d) lattice with target vector 
(u,v), where v consists of the first d coefficients of g. Clearly, {u,v) is a short 
vector, most likely the shortest vector in this lattice. Once we obtain {u,v), this 
information can be combined with (/(d), 5(d)) to completely recover (f,g). We 
thereby obtain the private key without ever having to reduce a 2fV-dimensional 
lattice. When N/d > 2, we can decrease the dimension of Lcs by about 2d in 
a similar fashion. This 2d reduction in lattice dimension should reduce LLL’s 
running time by a factor exponential in 2d. 



6 NTRU-256 

Silverman m proposes choosing to be a power of 2, because then convolution 
products can be computed rapidly using Fast Fourier Transforms. In particular, 
he suggests {N, p, g) = (256, 2, 127) as an advantageous choice of parameters. 
We found that an NTRU-256 private key can be recovered in about 3 minutes 
using the folding technique described above. 

In our experiments, we used a three-staged approach in recovering the private 
key. First, we recovered (/(64)>5(64)) by reducing the lattice generated by L(g 4 ) - a 
128-dimensional matrix with id( 64 ) in upper right quadrant. Second, we recovered 
(/( 128 ); 5(128)) by reducing the 129 x 128 lattice constructed as described above. 
Finally, we took advantage of the modulo p structure of the private keys to 
create an over-defined system of linear equations. For example, upon computing 
that /(i 28 ).i = 0, we know that fi = fi+i 2 s = 0, because fi € [0,1] for all i. 
Similarly, /(i 28 ),i = 2 implies fi = /i+i 28 = 1- When p = 2, this trick most likely 
results in more than half of g’s coefficients being known, and less than half of /’s 
coefficients being unknown, so that we may solve for the unknown coefficients in 
/. We thereby recover the entire private key (/, g) using lattices one-fourth the 
size of Lcs- 

Since the Sf and Sg parameters were not specified for NTRU-(256,2,127), 
we used those for NTRU-(263,2,127) - specifically, / and g both have 35 I’s, 
the rest O’s m- Using the NTL’s implementation of LLL with a block size of 
10 for both reductions, the 3 stages took an average of 40, 43 and 3 seconds, 
respectively^ Out of 20 trials, the correct key was recovered every time. We also 
tested the case when / has 75 I’s and g has 65 I’s, which is more challenging 
cryptanalytically, both in terms of the lattice reduction (since the target vector 
is longer) and the linear system (since there are more equations to solve). To 
avoid errors, the block size for the second reduction was increased to 12. The 

® For these particular values of S/ and Sg, we could even have begun by recovering 
if ( 32 ) , 9 ( 32 )) , which, heuristically, is recoverable even thongh N/d is somewhat large. 
After finding (/( 64 ), 5 ( 64 )), it is probable that at least half of the coefficients of each 
of /( 64 ) fl'iid 5 ( 64 ) are zero, and that, consequently, over half of the coefficients of each 
of / and g are known to be zero. If such is the case, we can proceed directly to the 
third stage without having to reduce a lattice larger than 65 x 64. 
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three stages took an average of 84, 94 and 12 seconds, respectively. Out of 10 
trials, the correct key was recovered 9 times. 

Some gimmicks were required to pick the target vector from among other 
short, but useless, vectors. For example, in the first reduction, we searched for 
rather than (/(^4),5^4)) rather than (/(64), 5(64)), where is the projection of 
/ orthogonal to 1^, the vector having every coefficient equal to 1. This technique, 
originated by Coppersmith and Shamir [Q, prevents LLL from returning the 
short, but cryptanalytically useless vector (1^,0'^). Also in the first reduction, 
LLL would often return other trivial vectors. For example, (1^,1^) is a trivial 
vector that can arise in L(64), where 1^ is the vector consisting of alternating 
I’s and -I’s. We simply skipped over these trivial vectors manually, continuing 
on to the next vector in the lattice until the desired nontrivial one was obtained. 
This process certainly could have been automated. 

7 Remarks on NTRU-Prime 

As we noted in the introduction, the domain parameter N is typically chosen 
to be prime not, apparently, for security reasons, but because it maximizes the 
probability that a randomly chosen private key / has inverses modulo q and p, 
these inverses being necessary for public key generation and decryption, respec- 
tively m- In terms of security, NTRU’s typical use of a prime domain parameter 
appears to be merely fortuitous. 

Folding does not work when N is prime — e.g., * h(^d) does not equal 

<7((i) when d does not divide N. However, we can say that li f * h = g, and if h 
has a period of c in the sense that hi = ht+c for 0 = z < fV — c, then the first 
N coefficients of g' = (/, 0) * h' (where (/, 0) is / followed by c zeros and h' is 
h followed by the c coefficients of /I’s period) are precisely the N coefficients of 
g. (Proof omitted.) For example, suppose N = 263 and h has a period of 37 — 
i.e., /iQ = /137 , . . . , /1225 = ^262- Then, we obtain (/, 0) by appending 37 zeros to 
/ and obtain the last c coefficients of h' by the relations /1263 = ^226, • ■ • , ^289 = 
/i262- This will give us (/, 0) * h' = (g,w), where the coefficients of w are not 
necessarily small. Since (/, 0), h' and {g^w) have dimension 263 -I- 37 = 300, 
a composite number, we can fold them to dimension, say, 100, obtaining the 
relation (/, 0)(ioo) * /i(ioo) = (5, 'f«)(ioo) ■ All of the coefficients of (/,0)(ioo) will 
be small, and 100 - 37 = 63 of the coefficients of (5, w)(ioo) will be small, so we 
can construct a lattice of dimension 163 that may give us partial information 
about / and g. Although this approach works well in the rare case that h has a 
small period, it does not appear to lead to an attack against NTRU-prime that 
works in general. 

Circulant lattices have a rather interesting property - namely, given an n- 
dimensional lattice generated by circulant matrix C, one can construct an 
dimensional lattice Chai / that contains a (7-vector no more than twice as long as 
the shortest vector in C. This is a consequence of the fact that for any vectors b 
and c, ||6 * c|| = * c||, where brev is the reverse of b given by b^ev^i = bn-i- 

Now, if we suppose that the matrix C consists of cyclic rotations of the vector 
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c, and that the shortest vector in the lattice generated by C is obtained through 
left-multiplication by & — i.e., the shortest vector is 6 * c — we get 

\\{b+brev) *C|| < ||6*C|| -k \\brev * c|| = 2||&*c||. 

Since (6 -I- brev) is a palindrome — i.e., (6 -I- brev)i = {b + brev)n-i for all i — 
{b + brev) has at most distinct coefficients, so that the rows of C can 

be paired together. This property of circulant lattices does not appear to allow 
one to cut the dimension of Lqs (a Wocfc-circulant lattice) in half, unless is a 
palindrome. 

8 Summary and Conclusion 

We have shown that choosing fV to be a composite number, especially one with 
a small factor, significantly reduces the security of the NTRU cryptosystem. 
Also, we have shown that it is possible to recover entire NTRU private keys 
using lattices of much smaller dimension than was previously thought. To avoid 
the presented attacks, N should be chosen to be prime, or to have only large 
nontrivial factors. 
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A Appendix 

A.l Probability of Very Short (m, v) Pair 

Assume we choose h' from with uniform distribution; what is the expected 
length of the shortest nonzero pair f ,g' G that satisfies f *h' = g' 

(mod g)? We begin with the (admittedly heuristic) observation that the choices 
for h' essentially partition the set of (u, v) pairs according to whether u*h' = v 
(mod q). In other words, it is rare that the set of (u, v) pairs for h'^ and those for 
h '2 overlap such that the equalities u' * h'^ = v' (mod q) and u' *h '2 = v' (mod q) 
are simultaneously satisfied for some (u',v'). This notion could be made more 
precise, but we will make do with the heuristic observation. 

Assuming that the (u, v) pairs are, in fact, partitioned among the choices for 
h' , the probability that a randomly chosen h' has a vector of length less than R 
is less than or equal to V{R)/q^ , where V{R) is the volume of a 2A-dimensional 
ball of radius R, and q^ is the number of {u,v) pairs that belong to h' . Using 
Stirling’s Formula for the volume of an n-dimensional ball, we find that the 
probability that h' has a (u, v) pair shorter than ^yi^(qj2ne is negligibly small. 

Since the probability of a random h' having a (u, v) pair as short as (/, g) is 
extremely small, we have some basis for concluding that it is very unlikely that 
h has a (m,u) pair unrelated to (/, 5 ) that is as small as (/, g). This conclusion 
comes with caveats, the most important being that the trivial vector ( 1 -^, 0 ^), 
where is the vector having all N elements equal to 1, is typically a (u, v) pair 
for h, and may very well be shorter than (f,g). This is not a serious problem, 
because, as shown in Appendix E 2 the group of (u, v) pairs can be slightly 
modified to exclude this trivial vector. 



A.2 Length of /(d) 

We can establish an upper bound on the Euclidean norm of (/(d)) 5 (d)) as follows: 



Theorem 2. || (/(d), 5 (d)) II < ^/Wd\\if,g)\\ ■ 
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Proof. Let 6 = (1 + + • • • + vf = f * b and Vg = g * b. Since 

\\{f *X\g*X^)\\ = ||(/,g)|| for all i, we have 

by the triangle equality, with equality holding when f = f * X‘^ = ••• = /* 
X^N/d-i)d g = g ^ X’^ = ■ ■ ■ = g * X^^ / . Notice that the tth coefficient 
of u/ is equal to f(d),i mod d)- In other words, the coefficients of Vf are precisely 
the coefficients of f(^d)i repeated N/d times. The same goes for Vg. Thus, 

ll(^’/>^’s)ll = \/Wd\\if{d), g{d))\\ , 

from which the desired inequality follows. □ 

For the expected length of {f{d),g(d)), recall that we have || (/(d), 5(d)) II = 
\/Wd\\{f,g)\\ only when 

/ = /*X^ = ••• = /* = g* X‘^ = ■■■ = g* 

— i.e., when the coefficients of / and g have a period of d. Of course, parameters 
Sf and Sg can be chosen to require / and g to be periodic, or nearly periodic, 
but this would reduce the keyspace and invite other attacks. 

We can use ideas of Coppersmith and Shamir to obtain a better approxima- 
tion of the length of the target vector of L(d) when / and g behave like random 
vectors. Let /■*■ denote the projection of / orthogonal to 1^, the vector in which 
all N elements are equal to 1. We find that vj- — i.e., the projection of Vf or- 
thogonal to — is equal to * b. Then, following Coppersmith and Shamir, 
we get: 



11 ^/ 11 ^ = 

k 

\ i / \ I 

Since bi is nonzero only when I = 0 (mod d), each term bibi+j must be zero, and 
thus the entire rightmost summation must be zero, unless j = 0 (mod d) . When 
j = 0 (mod d), the rightmost summation is equal to N/d. Thus, we obtain: 

Ik/ f = i^/d)\\f^f + 

jz^OJ—O mod d \ i 





If / behaves like a random vector, then, for each j, we would expect ft fi+j 

to be less than Y/i ft ft = II/‘*‘IP by ^ factor of about 1/v/V. Since the terms 
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have random sign, we would also expect some cancellation to occur. Thus, if 
N /d is not too large (there are N /d — 1 terms in the first summation), such as 
when d > '/N , then we can expect that 

Since, as before, the coefficients of vj- are precisely the coefficients of re- 
peated N/d times, where denotes the projection of /(^i) orthogonal to l'^, we 
get: 

Coppersmith and Shamir have shown that (/■*“, is the optimal target vector 
for Lcs (ignoring their additional “balancing constant” refinement” ) . Similarly, 
(/(d) ’ 5 (d)) optimal target vector for L(d). Thus, when N/d is not too large, 

we can expect the target vector of to be about the same length as the target 
vector of Lcs- 

Applying the techniques used in Appendix IA.1I we find that that while 
IK/('d)’ 5(d))ll ~ II(/‘'‘)5''‘)I|5 the expected length of the shortest vector in L(^a) 
is less than that of Lqs by a factor of y/ N/d. One might think that this tighten- 
ing of the ratio between the expected length of the shortest vector to the length 
of the target vector would make the target vector more difficult for LLL to find, 
but, empirically, the small reduction in this ratio does not even come close to 
offsetting the exponential reduction in running times obtained by decreasing the 
lattice dimension. 
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Abstract. We show that finding an efficiently computable injective ho- 
momorphism from the XTR subgroup into the group of points over 
GF(p^) of a particular type of supersingular elliptic curve is at least as 
hard as solving the Diffie-Hellman problem in the XTR subgroup. This 
provides strong evidence for a negative answer to the question posed 
by S. Vanstone and A. Menezes at the Crypto 2000 Rump Session on 
the possibility of efficiently inverting the MOV embedding into the XTR 
subgroup. As a side result we show that the Decision Diffie-Hellman prob- 
lem in the group of points on this type of supersingular elliptic curves 
is efficiently computable, which provides an example of a group where 
the Decision Diffie-Hellman problem is simple, while the Diffie-Hellman 
and discrete logarithm problem are presumably not. The cryptanalytical 
tools we use also lead to cryptographic applications of independent inter- 
est. These applications are an improvement of Joux’s one round protocol 
for tripartite Diffie-Hellman key exchange and a non refutable digital 
signature scheme that supports escrowable encryption. We also discuss 
the applicability of our methods to general elliptic curves defined over 
finite fields. 



1 Introduction 

XTR is an efficient and compact method to work with order —p+1 subgroups 
of the multiplicative group GF(p®)* of the finite field GF(p®). It was introduced 
in COl, followed by several practical improvements in CH and m 

Throughout this paper we let p^q > S denote prime numbers. In the context of 
XTR we further demand that p = 2 mod 3 and that q divides p‘^—p+1. Let g be a 
generator of the order q subgroup pq of GF(p®)*. In it is shown that elements 
of pq, the XTR subgroup, can conveniently be represented by their so-called trace 
over GF(p^), and it is shown in [ID] how this representation can efficiently be 
computed. Any familiar cryptosystem based on the XTR subgroup (like Diffie- 
Hellman, ElGamal, DSA) can be easily transformed using this representation, 
yielding both efficient and compact cryptosystems. Moreover, it is shown in m 
that the security of these transformed systems is equivalent to the ones started 
with, that is, the security of the discrete logarithm problem in the multiplicative 
group of the finite field GF(p®)*. We refer to the group of order p"^ — p + 1 of 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 13.5- ITu1 2001. 
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GF(p®)* as the XTR supergroup. It is widely believed that the Diffie-Hellman 
and discrete logarithm problem in these XTR groups is hard. 

At the Crypto 2000 Rump Session, m, the following comparison was pre- 
sented, suggesting that XTR is nothing else than an elliptic curve cryptosystem 
in disguise. As is well known, the number of points over GF(p^) (including the 
point at infinity) on an elliptic curve defined over GF(p^) takes the formp^ — t-l-1 
for some integer called the Frobenius trace number t G [— 2p, 2p\. There exist el- 
liptic curves over GF(p^) of such order equal to p^ — p + 1. These curves are 
actually characterized in m as Class Three supersingular elliptic curves over 
GF(p^) with Positive parameter t, namely t = p (as opposed to t = —p). This 
is why we call these curves simply the CTP curves for short. Moreover, there 
exist efficiently computable (i.e., in polynomial time and space in length of in- 
put), injective homomorphisms of such curves onto the XTR supergroup. The 
Menezes-Okamoto-Vanstone (MOV) imbedding [Ej , provides an example of such 
a homomorphism. 

It seems like a plausible hypothesis (cf. lEI) that the inverses of such homo- 
morphisms might be efficiently computable too. Under this hypothesis the XTR 
(sub)group is just an instance of an elliptic curve (sub)group and so an attack 
affecting the security of elliptic curve cryptosystems would affect the security of 
the XTR cryptosystem. Or in other words, under this hypothesis the security of 
XTR cryptosystems is not better than that of elliptic curve cryptosystems. 

In this paper we show that the hypothesis mentioned above is unlikely to be 
correct, as we show that under this hypothesis, we can solve several problems 
that are widely believed to be hard. The Diffie-Hellman problem in the XTR 
subgroup is an example of such a problem. As a side result we show that the De- 
cision Diffie-Hellman problem in many supersingular elliptic curves is efficiently 
computable. The results presented in this paper are specifically geared towards 
XTR, to counter the suggestion that XTR is nothing else than an elliptic curve 
cryptosystem in disguise. We did not attempt to fully generalize them to other 
classes of (supersingular) elliptic curves, although we expect they can be (cf. 
Sectional). The results in this paper should therefore be interpreted in a broader 
context. Namely, they provide evidence that the multiplicative group of a finite 
field provides essentially more, and in any case not less, security than the group 
of points of a supersingular elliptic curve of comparable size. 

The GTP curves take the form + a where a G GF(p^) is a square 

but not a cube in GF(p^), cf. |Sj. We denote the GTP curves by Ca- Actually, 
in the category of elliptic curves over GF(p^) only two such curves exist; all 
others are isomorphic under an efficiently computable isomorphism. Gompare 
Lemma m The set of points over GF(p^) (including the point at infinity) on Ca 
is denoted by Ca_p 2 and the subgroup thereof of order I is denoted by 
It is important to consider the elliptic curve + a over the extension field 

GF(p®) as well, respectively subgroups of order I therein. These are denoted by 
respectively Ca^pO and Ca^pO [1] ■ For further reference, we formulate the hypothesis 
mentioned above as follows: 
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X2C There exists an efficiently computable element s G GF(p^) and an effi- 
ciently computable, injective group homomorphism from the XTR subgroup 
into C's_p 2 [g], 

A similar problem is posed by N. Koblitz in jSl p.328]. Note that X2C is 
more general than only assuming that (a restriction of) an MOV embedding 
is efficiently invertible. It actually follows from our results (Theorem E® that 
under the X2C hypothesis, (restrictions of) MOV embeddings are efficiently 
invertible. 

Outline of the paper 

In Section 121 we explore the structure of CTP curves. We introduce a so-called 
distortion map on CTP curves which is of crucial importance for our results, 
and we prove a more convenient formulation of the X2C hypothesis. In Sec- 
tion |S| we present and prove our main results and in Section 0 we briefly discuss 
some possible extensions of our results. In Sectional we discuss some practical 
applications of distortion maps, including a more computational and communi- 
cational efficient variant of the one round protocol for tripartite Diffie-Hellman 
key exchange described in jS] and a non refutable digital signature scheme that 
supports escrowable encryption. Finally, we summarize our results in Section El 

2 Group Isomorphisms between CTP Curves 

We recall that any isomorphism between two elliptic curves defined over a field 
K induces a group isomorphism between the points on the elliptic curves over K, 
but not vice versa. See HH, |E|. This distinction is important in the following 
lemma. 

Lemma 1 Let Ca and Cf, be CTP curves (in particular, a,b are squares in 
GF(p^) but not cubes), then the following hold: 

1. The map S : C'a^p 2 — >• CaP,p^ ■ (x,y) — >■ is an efficiently computable 

group isomorphism. 

2. The equation = b/ a has its solutions in GF(p®) and for any such solution 

u, the map Ru ■ Ca ^ Ct : {x,y) — >■ {u^x,u^y) is an isomorphism 
in the category of elliptic curves over GF(p®) and induces in particular an 
efficiently computable group isomorphism Ca^pS — >■ C^^pB . 

3. The map Ru is an isomorphism in the category of elliptic curves over GF{p^) 
iffb/a is a cube in GF(p^). 

4- If b/a is not a cube in GF(p^), then bjdP is a cube in GF(p^). Also the 
equation w® = b/a^ has its solutions w in GF(p^) and the composite map 
Rui o S is an efficiently computable group isomorphism from Ca^p 2 to C\,^p 2 . 

Proof: The first part of the lemma is well known and easily verified. That 
the equation mentioned in the second part of the lemma has a solution in GF(p®) 
follows as b/a is a square in GF(p^). The remainder of the second part of the 
lemma follows for instance from HH Theorem 2.2]. The third part also follows 
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from this result combined with the observation that = b/ a has all its solutions 
u in GF(p^) iff b/a is a cube in GF(p^). For a proof of the fourth part, let a 
be a generator of the multiplicative group of GF(p^). As p > 3 it follows that 
— 1 = 0 mod 3, so the element x = is a cube in GF(p^)* iff j is divisible by 
three. Now write a = and 6 = If 6/a is not a cube in GF(p^), then k mod 3 
and I mod 3 are different. As k, I mod 3 are non-zero, it follows from p = 2 mod 3 
that k ■ p mod 3 and I mod 3 are equal. That is, b/a^ is a cube in GF(p^). The 
remainder of the proof of the fourth part of the lemma now follows from the first 
and third part. □ 

From Lemma E it follows that the GTP curves split into two equivalence 
classes under the equivalence relation Cq ~ Cb iff b/a is a. third power in GF(p^). 
From O Theorem 3.2] it follows that there are exactly two isomorphism classes 
of supersingular elliptic curves over GF(p^) of order p'^ —p+1. We conclude that 
the GTP curves provide a complete representation of such curves. 

From the previous result we immediately deduce the following. 

Theorem 2 All CTP groups Ca^p^ are efficiently computable group isomorphic. 
Moreover, we can reformulate X2C as: 

X2C For each CTP subgroup Ca,p'^[<]\ there exists an efficiently computable, 

injective homomorphism from the XTR subgroup into Ca^p^lq]. 

Let Ca be a GTP curve. We recall some facts on elliptic curves which can 
all be found in PI- For a divisor I of p^ — p + 1, the Lth torsion group of Ca 
is the collection of all points of order dividing I on the curve y^ = x^ + a over 
the algebraic closure of the field GF(p^). The torsion group is isomorphic to 
Z; © Z;, which is a non-cyclic, abelian group. In addition, as Ca is a so-called 
Glass III supersingular curve, the Lth torsion group of Ca is just the collection 
of all points of order dividing I over GF(p®) (including the point at infinity) on 
the curve y"^ = x^ + a. That is, the l-th torsion group of Ca is equal to Ca,pe [/] 
and is hence a subset of GF(p®) x GF(p®). 

Before formulating the theorem that is crucial to our results, we need a 
definition. 

Definition 3 Let H be an abelian group, then two elements gi,g 2 are called 
independent, provided that gi ((72) and g 2 ^ (51) • 

This definition becomes relevant when the group H is not cyclic itself, which 
is typically the situation in torsion groups. Before coming to our next result we 
remark that it is easily verified that the two points in Ca^p^ that have a zero 
first coordinate, augmented with the point at infinity, that is {(0, w), (0, —w), O} 
with = a, constitutes a subgroup of order three. We denote this group by G3. 

Theorem 4 Let Ca be a CTP curve and let P ^ O he a point on Ca^p^ ■ Then, 
using the notation from Lemma Q the following hold: 

1. The equation u® = a/a^ has its solutions u in GF(p®) \ GF(p^) and for any 

such solution u, the map D : Ca^pfi A CaP^pS ^ Ca^pe is a group automor- 
phism which takes the form (x,y) — >■ {u^x^ ,u^y^). 
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2. (P) n {D{P)) = O if the order of P is not divisible by 3 and (P) n {D{P)) = 

G 3 otherwise. 

3. The point P is independent from its image under D{.) iff P has an order 

different from 1 or 3. 

Proof: For a proof of the first part of the theorem, it easily follows (cf. the 
proof of Lemma P) that a/a^ is not a cube in GF(p^). Now the proof follows 
from the last part of Lemma Q For a proof of the second part of the theorem: 
the first coordinate of the value {u^x^ under D{.) of a point Q = {x,y) 
is clearly not an element of GF(p^) when x is non-zero. That is, apart from the 
point at infinity, the only points that can belong to (P) fl (P(P)) have a zero 
first coordinate. As (P) fl {D{P)) is a group it is either equal to {O} or G 3 . In 
the latter case it follows that the order of P must be divisible by 3. For a proof 
of the last part, as D{.) is a group automorphism, the orders of P and D{P) 
coincide. So if these points are dependent it follows from the second part that 
either P or D{P) is an element of G 3 , i.e., of order 1 or 3. □ 

For convenience we refer to the map P(.) introduced in Theorem 0] as the 
distortion map. In Figure Q a few pages below we have depicted the property of 
D{.) with K = GF(p^) and K' = GF(p®). Related to the Lth torsion group of 
Ca, i.e., G(j p 6 [Z], is the Weil pairing, a function 

[^] ^ [^] ^ f^h 

where yi is the subgroup of GF(p®)* of order 1. Hence, pLq is equal to the XTR 
subgroup. In the setting of supersingular curves, the Weil pairing can be com- 
puted efficiently. The Weil pairing satisfies the Identity rule, i.e., e;(P, P) = 1, 
and is bilinear. From the latter property it follows that ei{a*P, b*Q) = efP, Q)°"^. 
This formula is particularly useful when e;(P, Q) is a generator of /rj, as the map 
< P >— >■ pLi \ X ^ ei{x,Q) is then a group isomorphism. Actually, this is the 
MOV embedding mentioned in the introduction. We finally mention that two 
points P, Q in the torsion group Gape[Z] are dependent, iff e/(P, Q) = 1, see ^1 
p.70]. 

The following corollary describes the order of a value of the Weil pairing. 

Corollary 5 Let I dividing p^ — p + 1 be a power of a prime number r and let 
P be a point on Ca^p^ of order 1. Then, letting D{.) denote the distortion map 
from Theorem ^ the following hold: 

1. If r ^ 3, then the element efP, D{P)) is of order I in GF(p®)*. 

2. If r = 3, then the element efP, D{P)) is of order at least 1/3 in GF(p®)*. 

Proof: First note that the point D{P) is of order I as D{.) is a group auto- 
morphism. For a proof of the first statement, suppose to the contrary that we 
have e/(P, P(P))*/’' = 1. Then it follows that ei{P,l/r ■ D{P)) = 1, that is, P 
and l/r-D{P) are dependent. Hence either, P G {l/r ■ D{P)) or l/r-D{P) G (P). 
The first option is ruled out as it implies that the order of P is divisible by l/r. 
So, 



Vr-P(P)G(P)n(P(P)) = {0}, 
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where the last equality follows from Theorem 0 That is, l/r-D{P) = O contra- 
dicting that the order of D{P) is equal to 1. For a proof of the second statement, 
we may assume without loss of generality that Z > 3^. If we assume to the con- 
trary that ei{P, D{P)y/^ = 1 and reasoning in a similar way as in the proof of 
the first part, we conclude that 

i/9-D{P)e{P)n{D{P)) = G3, 

where the last equality follows from Theorem El This contradicts that the order 
of //9 • D(P) is nine. □ 

3 Hardness of the X2C Hypothesis 

Before coming to our main results, we recall some general notions. Let G = ( 7 ) 
be any cyclic, multiplicative group of order I, generated by an element 7 . The 
security of the Difhe-Hellman key agreement protocol with respect to 7 lies in the 
Dijjie- Heilman problem of computing the values of the function DH(pf^ = 
7 “*'. Two other problems are related to the DH problem. The first one is the 
Decision Dijfie-Hellman (DDH) problem with respect to 7 : given a, (3,5 S G 
decide whether 5 = DH{a,(3) or not. The DH problem is at least as difficult as 
the DDH problem. The second related problem is the discrete logarithm (DL) 
problem in G with respect to 7 : given a = € G, with 0 < x < I then 

find X = DL{a). The DL problem is at least as difficult as the DH problem. It 
is widely assumed that if the DL problem G is hard, then so are the other two. 
In 0, Joux notes that Decision Diffie-Hellman type of problems in extensions 
of supersingular elliptic curves are often efficiently computable. We use Joux’s 
reasoning in the proof of the next result, which in particular provides an example 
of a supersingular elliptic curve where the Decision Diffie-Hellman problem is 
efficiently computable, while the discrete logarithm problem is presumably hard. 

Theorem 6 The Decision Diffie-Hellman problem in any supersingular elliptic 
curve over GF(p^) of order p'^ — p-\- 1 is efficiently computable. 

Proof: We can restrict ourselves to curves of type Ca- Write p'^ -p-\-l = t-v 
where t is a power of three and v is relatively prime with three. By virtue of 
the Pohlig-Hellman algorithm ini, the DDH problem in Ca,p 2 can be reduced to 
the DDH problem in the subgroups of order t and v. As one can easily solve the 
discrete logarithm related to the first subgroup, one can efficiently the Decision 
Diffie-Hellman problem for this subgroup too. 

Now, let P be a generator of the subgroup Ga.p'^ [u] and suppose that points 
X = x*P,Y = y * P, Z = z * P in Ga^p'^[v] are given. To solve the Decision Diffie- 
Hellman problem in C'a^p 2 [u], we need to determine whether z = x * y mod v. 
By the Identity property of the Weil pairing, its bilinearity and Corollary E| 
the Weil pairing e„(P, D(P)) is a u-th root of unity of GF(p®). So on the one 
hand, Cv{X,D{Y)) = e„(P, D(P))^^ and on the other hand ey{P, D{Z)) = 
ey{P,D{P)Y . That is z = x * y mod v iff ey{X, D(Y)) is equal to ey{P,D{Z)), 
which is an efficiently computable condition. □ 
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There are several cryptographic protocols whose security depends on the dif- 
ficulty of the Decision Diffie-Hellman problem, like the publicly verifiable voting 
system in ( 2 ] and the Cramer-Shoup 0 public key cryptosystem that is provable 
secure against adaptive chosen ciphertext attacks. Theorem shows that these 
protocols should not be based on (CTP) supersingular elliptic curves, even with 
the “appropriate” key sizes. We now obtain our first evidence that the X2C 
hypothesis is not valid. 

Corollary 7 Under the X2C hypothesis, the Decision Diffie-Hellman problem 
in the XTR subgroup is efficiently computable. 

Proof: This follows immediately from Theorem El □ 

Next we show an even stronger consequence of the X2C hypothesis, namely 
that the Diffie-Hellman problem in the XTR subgroup is efficiently computable. 
It is convenient to first introduce three variants of the Diffie-Hellman problem. To 
this end, again let G = (7) be any cyclic, multiplicative group of (known) order /, 
generated by the (known) element 7. Then the weak DH problem with respect 
to 7 is the problem of finding any generator k, such that for all 0 < x,y < I 
determining can be efficiently done on basis of 7“ and 7*^. That is, k is only 
dependent of 7 and not of x, y. The strong DH problem with respect to 7 is the 
problem of efficiently determining on basis of 7“ and 7^, for all 0 < x,y < I 
and any generator ^ of G. Finally, the DH problem with respect to the group 
G is the problem of efficiently determining on basis of and for all 

0 H x,y < I and any generators a of G. Note that this notion is independent 
of the choice of a particular generator 7 of G. 

Lemma 8 In the setting above, the weak, conventional and strong Diffie-Hell- 
man problem w.r.t. 7 and the Diffie-Hellman problem w.r.t. G are equivalent. 

Proof: We first show equivalence of the first three problems. Clearly, if 
one can solve the strong Diffie-Hellman problem, one can solve the conven- 
tional Diffie-Hellman problem. Moreover, if one can solve the conventional Diffie- 
Hellman problem then by taking /c = 7 one can solve the weak Diffie-Hellman 
problem. To show that these three problems are equivalent, it suffices to show 
that if one can solve the weak Diffie-Hellman problem, one can solve the strong 
Diffie-Hellman problem. To this end, let 7, k be as described in the definition 
of weak Diffie-Hellman problem and let ^ be any generator of G. Also, let the 
function WDH{.,.) be defined by = WDHffi^,^^). Then by hypothesis 
WDH{., .) is efficiently computable. We only prove the lemma in the case that 

1 is a prime number which is important to us and leave the general case to the 
reader. 

We can write k = 7® and ^ = 7* for some 0 < s,t < I, which are unknown. 
We first claim that we can efficiently compute 7C") for any n> 1 . To this end, 
for any i > 1 define 
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Note that T(l) = (7, k) is efhdently computable. Also note that if T{i) = 
(A,B) is given, then T(2i) is equal to (WDH{A,A),WDH{A,B)) and T( 2 i + 
1 ) is equal to {WDH{A,B),WDH{B,B)). This means that we can compute 
T(n) in 2 • log2(n) calls to the function WDH{., .) using repeated squaring and 
multiplication (cf. ca Algorithm 2 . 3 . 7 ]). That is, we can efficiently compute 
7^® ^ for any n > 1 . In particular, we can efficiently compute the element D — 

We now are ready to prove that we can solve the strong Difhe-Hellman prob- 
lem with respect to 7. To this end, let A = 7^ and S = 7^ be given. Then, first 
of all, 

E = WDH{D, WDH{A, B)) = , 7^)) 

Here we have used that = 1 mod I for any prime number I (i.e., Fermat’s 
little theorem). Now, 

WDH{E,^) = = 7®(^i'*®“') = j^y* = ^^y. 

As we can efficiently compute E = WDH{D, WDH{A, B)) and WDH{E, 
we can efficiently compute ^^y on basis on 7“ and 7^. That is, we have solved 
the strong Difhe-Hellman problem with respect to 7. 

We are left with showing the equivalence between the hrst three properties 
mentioned in the lemma and the last one. To this end, let a be generators of G 
and suppose that a’®, ay are given for some 0 < x,y < 1. Write 0 = 7“ and ^ = 7* 
for some 0 < a,t < 1. First of all, we can efficiently determine 7*-“ ^ from a, which 
is a conventional Difhe-Hellman problem w.r.t. 7. Secondly, from the latter result 
one can efficiently determine 7^“ ^ by using the techniques described above. 

Finally, from the latter result and we can efficiently determine 6 = 7^“ 
which is again a conventional Difhe-Hellman problem w.r.t. 7. Now, if we present 
, ay to the efficient algorithm solving the strong Difhe-Hellman problem with 
respect to 7 and S it returns S^^^y^ which is equal to 7^“ ^ta'^xy) _ ^txy _ ^xy ^ 
We conclude that we have solved the Difhe-Hellman problem with respect to a 
and □ 

Lemma 9 Let G, E he two isomorphic, cyclic groups and let i \ G ^ E and 
j \ E ^ G be two efficiently computable, injective homomorphisms. We assume 
that the order I of G and E and some generators are known. Then, the Diffie- 
Hellman problem with respect to G is efficiently computable iff it is with respect 
to E. Moreover, under this condition, the inverses of i{.) and j{.) are efficiently 
computable too. 
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Proof: It easily follows that if one can solve the Difhe-Hellman problem in one 
of G or r, then one can solve the weak Difhe-Hellman problem in the other one. 
So the first part of the lemma follows from Lemma |H| For a proof of the second 
part of the lemma, we show that is efficiently computable by efficiently 

computing for any element u> of F. To this end, let g be a generator of 

G and let 7 = i{g) and 52 = j{l)- One can easily verify that the algorithm 
solving the Diffie-Hellman problem with respect to 52 and g yields when 

presented g 2 and j(w). □ 

Theorem 10 Under the X2C hypothesis, the following problems are effieiently 
eomputable: 

1. The Diffie-Hellman problem in the XTR subgroup. 

2. The Diffie-Hellman problem in the group of points of order q on a supersin- 
gular elliptic curve over GF(p^) of order p^ — p -\- 1. 

3. Inverting any efficiently computable embedding (e.g., based on the MOV em- 
bedding) from the group of points of order q on a supersingular elliptic curves 
over GF(p^) of order p^ — p -\- 1 into the XTR subgroup. 

Proof: Suppose that H{.) is an efficiently computable injective homomor- 
phism from the XTR subgroup into some Ga^p^lq]. We hrst prove the first part 
of the theorem. Gonsider any generator g of the XTR subgroup. We construct 
another generator h in the XTR subgroup satisfying the definition of the weak 
DH problem. To this end, let h = eq{H{g), D{H{g)) where eq{.,.) denotes the 
Weil pairing on the g-th torsion group of p 2 and D{.) denotes the distortion 
map from Theorem 0 It also follows from this theorem that the order of h is 
equal to q. 

To break the weak Decision Diffie-Hellman problem, with respect to g,h, 
suppose that X = g^,Y = are given. Then: 

eq{H{X),D{H{Y))) = Cq{x * H{g),y * D{H{g))) = e,(iF(g), = h^y . 

That is, by computing eq{H{X), D{H{Y))), which can be done efficiently, we 
have solved the weak DH problem with respect to g, h. The result now follows 
from Lemma 0 The second and third part of the theorem follow from the first 
part and Lemma M □ 

The last part of Theorem Eni states that to prove the validity of the X2C 
hypothesis, one can concentrate on efficiently inverting any MOV embedding 
into the XTR subgroup. 

4 Extensions 

4.1 Other Extension Field Based Public Key Systems 

Two other public key cryptosystems exist that are based on the discrete loga- 
rithm problem in the extension field GF(p®)*, or actually subfields thereof. The 
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LUC cryptosystem, m and m , is based on the order p+1 subgroup of GF(p^)*. 
The variant by Gong & Harn of LUC is based on the p'^ + p + 1 subgroup of 
GF(p^)*, where as in the XTR setting p = 2 mod 3. For both subgroups one can 
find supersingular elliptic curves (cf. M) and efficiently computable, isomor- 
phisms from these curves onto these subgroups, based on the Weil pairing. That 
is, for each of the two cryptosystems one can formulate an hypothesis similar 
to X2C. We remark that there do not exist elliptic curves defined over GF(p^) 
with p^ +P+ 1 or p^ —p+ 1 points over GF(p^) if p = 1 mod 3, as the number of 

isomorphism classes is equal to 1 — (cf. |3 Theorem 3.2]), which is equal 

to zero if p = 1 mod 3 and equal to two if p = 2 mod 3. 

With respect to the Gong and Harn variant of LUC, one could call the 
related curves CTN curves: Class Three supersingular elliptic curves defined 
over GF(p^) with Negative parameter t, namely t = —p {as opposed to t = p). 
Provided p = 2 mod 3, it follows that these elliptic curves take the form = 
+ a where a G GF(p^) is neither a square nor a cube in GF(p^). This means 
that the difference with CTP curves lies in the fact that a is a non-quadratic 
residue. However, it easily follows that this property is not of significance in the 
proofs in this paper and all results for CTP curves generalize to CTN elliptic 
curves. More in particular, the map (x, p) — >■ {u^x^ ,u^y^) where u is a solution 
of = a/aP is an appropriate distortion map on these types of curves. As 
there exists no point on such curves with first coordinates equal to zero, all 
points different from the point at infinity on the curve over GF(p^) are mapped 
to points outside the curve over GF(p^). It follows that the existence of any 
efficiently computable, injective homomorphism from the Gong & Harn group 
in any supersingular elliptic curve over GF(p^) of order p^ + p+1 implies that we 
can solve the Difhe-Hellman problem in the Gong & Harn subgroup of GF(p^)* as 
well as in the related elliptic curve group of points. Moreover, it follows that the 
Decision Difhe-Hellman problem in these elliptic curve groups is always efficiently 
computable, irrespective of additional hypotheses. 

Our techniques do not completely generalize, at least not in a straightforward 
fashion, to disprove this hypothesis for the LUG cryptosystem. This is partly due 
to the fact that we are not aware of a full representation of all isomorphism classes 
of the corresponding supersingular elliptic curves, i.e., curves over GF(p) of trace 
zero. However, our techniques do generalize to two particular subclasses of such 
elliptic curves over GF(p), as one can easily hnd the appropriate distortion maps. 
These classes of curves and distortion maps are: 

1. y^ = x^ — bx with p = 3 mod 4 and a any non-zero element in GF(p). 
Here an appropriate distortion map is given by (x,y) — > {~x,i ■ y) where 
i G GF(p^) \ GF(p) satishes = —1. 

2. y'^ = x^ + a with p = 2 mod 3 and a any non-zero element in GF(p). Here 
an appropriate distortion map is given by (x, y) — >■ {x,w ■ y) where w G 
GF(p^) \ GF(p) satishes = 1. 

It follows in particular that the Decision Difhe-Hellman problem in the group of 
points over GF(p^) on these curves is efficiently computable. Recently, A. Joux 
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and K. Nguyen, 0, have constructed examples of supersingular elliptic curves, 
of the type described above that have the additional property that the Diffie- 
Hellman problem and the discrete logarithm problem are equivalently difficult. 

4.2 Possible Generalizations 

In this section we discuss the applicability our techniques to general elliptic 
curves, e.g., non-supersingular ones. To this end, let E ■. + a\xy + a^y = 

+ tt 2 X^ + a^x + Uq be an elliptic curve defined over a finite field K = GF(p") 
and let P be a point on E over K of prime order q. As usual, we refer to the 
points on the curve E over a field L (including the point at infinity) as E(L). 
Now, a distortion map with respect to P is an endomorphism defined over the 
completion K oi K that maps P to a point D{P) independent from P (cf. 
Figure Q). As D{.) is a group homomorphism, it follows that D{P) is an element 




Fig. 1. Distortion maps 

of the g-th torsion points E[q] of E. Suppose that the set of g-th torsion points 
E[q] of E is contained in E{K') for some extension field K' = GF(p"*) of K of 
degree k, the so-called MOV degree. It it known (cf., fl]) that if the degree k is 
of polynomial size in log 2 (#(AT)) then computing the Weil pairing Eg{., .) can 
be done in probabilistic polynomial time in log 2 (#(AT)) too. 

Under this condition it directly follows from the techniques employed in Sec- 
tion 01 that the existence of a distortion map implies that the Decision Diffie- 
Hellman problem in the group (P) is efficiently computable then. Now the follow- 
ing question arises: under what conditions can we expect that distortion maps 
exist? As pointed out to us by A. Joux, it is a consequence of Gh. Ill, Th.9.5] 
that the endomorphism group of a supersingular elliptic curve is so large, that 
distortion maps always exist in these circumstances, with only a finite number of 
exceptions. As in this situation the degree k is either 1, 2, 3, 4 or 6, it also follows 
that the Decision Diffie-Hellman problem is efficiently computable in subgroups 
on such curves. 
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With respect to the case of “ordinary”, i.e., non supersingular elliptic curves 
there is one prominent example of a distortion map, namely the Frobenius map 
with respect to K F : {x, y) — >■ {x^p"'\ . The Frobenius map acts as a GF(g)- 
linear mapping on E[q] (considered as a two dimensional linear space over GF(q)) 
and its characteristic equation is A^ — tA+p" (cf. El)- The eigenvalues of F with 
respect to E[q] are one (with corresponding eigenspace (P)) and t—1 mod q. If 
t 2 mod q, then the eigenvectors corresponding with the eigenvalue t—1 mod q 
are not elements of the curve over K. That is, they are outside the original 
curve and really lie on the extension of the curve over K' . Now if we consider 
any subgroup (Q) of the g-th torsion group different from these eigenspaces, 
we see that Q and E{Q) are independent. Gompare Figure Q above. So if the 
MOV degree k is polynomial in log 2 (#(i^r)) then the Decision Diffie-Hellman 
problem is efficiently computable in such subgroups. In [Q it is shown that for 
general elliptic curves over basic fields K it is unlikely that k < log 2 (#(iti))^. 
We are not aware of general results concerning the case that k is not polynomial 
in log 2 (#(if)). Moreover, we observe that our techniques do not really require 
to actually compute values of Weil pairings: only the ability to compare them 
suffices. For this the efficient calculation of a one bit predicate of a Weil pairing 
is probably sufficient. It is not a priori clear that it can be excluded that this is 
possible in polynomial time even if k is not polynomially bounded. 

Of course, this does not settle the existence of distortion maps in the original 
group (P). This is very relevant from a practical, cryptographic point of view, 
as such existence would make the Decision Diffie-Hellman problem in practically 
used elliptic curve subgroups (possibly) efficiently computable. In discussions 
with numerous knowledgeable colleagues, it emerged that distortion maps in 
such elliptic curve subgroups do not exist. The following elegant proof of this 
was presented to us by Ruud Pellikaan. 

Theorem 11 Let E be a non-supersingular curve and let P G E{K) be of or- 
der q. If q is relatively prime to p and the q-th torsion group is not contained 
in E{K) then there can not exist a distortion map D{.) w.r.t. P. Moreover, the 
second condition is implied by the condition that q^ does not divide ff{E{K)). 

Proof: Suppose, at the contrary, that such a distortion map D exists. Notice 
that Q = D{P) is not a point on E{K) as this implies that the g-th torsion 
group is contained in E{K). The crux of the proof is that the endomorphism 
ring of a non-supersingular elliptic curve is abelian. This follows for instance 
from the fact that this ring is an order in a quadratic imaginary field (cf. [1 SI 
Gh. V, Theorem 3.1]). As before, let F be the K Frobenius map. Now, 

Q = D{P) = D{F{P)) = F{D{P)) = F{Q), 

where the second equality follows as P S E{K). But this means that Q is an 
element of E(K) and we arrive at a contradiction. The last part of the result 
easily follows. □ 

As elliptic curve subgroups used in practical cryptosystems, satisfy the con- 
ditions of Theorem M we conclude that in such circumstances distortion maps 



Evidence that XTR Is More Secure than Supersingular EC Cryptosystems 207 



do not exist. It seems like an interesting problem to find out if distortion maps 
can exist in the situation that the g-torsion group is contained in E{K), but that 
no point of order q is contained in E(Kq) for any genuine subfield Kq of K. 

5 Applications 

Distortion maps on (supersingular) elliptic curves can not only be used as crypt- 
analytical tools, but also as building blocks in actual applications. 

5.1 A One Round Protocol 

for Tripartite DifRe-Hellman Key Exchange 

In PI A. Joux proposes schemes for a three participants variation of the Diffie- 
Hellman protocol. One of his schemes is based on a subgroup of prime order q of 
a supersingular elliptic curve over a field GF(p"). Two points P, Q of order q are 
chosen, such that P is an element of the elliptic curve over GF(p") and Q is an 
element of the (?-th torsion group that is independent from P. A simple way to 
establish this, is to choose the element Q of order q so that it is not on the curve 
itself, but it is is on the curve over the extension field GF(p"^) of GF(p"). Here 
k is called the MOV degree, which is either 1, 2, 3, 4 or 6. It follows in particular 
that the Weil pairing Cq{P, Q) is a g-th root of unity in GF(p"^). It is assumed 
that taking discrete logarithms in the groups {P) and {Q) is not practically 
possible. 

Now in the tripartite Diffie-Hellman protocol, three parties A, B, G want to 
establish a shared key, whereby each party only exchanges one message with an- 
other party. That is, at most 6 messages are exchanged. Joux proposes the follow- 
ing protocol. Each Tth participant (i = 1,2,3) generates a random 0 < Xi < q, 
forms (Ai, Bi) = {xi ■ P,Xi-Q), and sends this to the other participants. Now the 
shared key is the element eq{P,Q)^^'^^'^^ . To illustrate that each participant 
can compute the shared key, the first participant can do so by determining: 

eq{A2,B3r = eq{x2- P,X3- Qr^ = eq{P,Qr^-^^-^E 

We now describe the possible application of distortion maps. To this end, let 
P be a point on an elliptic curve E of order q such that taking discrete logarithms 
in (P) is not practically possible and assume there exists a distortion map D{.) 
on the curve that maps P to a point D{P) independent from P. 

Now if, in our variant of the tripartite Diffie-Hellman protocol, three parties 
A, B, G want to establish a shared key then, each z-th participant (z = 1,2,3) 
generates a random 0 < < g, forms the point Xi-P, and sends this to the other 

participants. The shared key is the element eq{P, D(P))^^'^^'^^ . It is a simple 
verification to see that each participant can compute this key. Gompared with 
the original tripartite Diffie-Hellman protocol in the curve E, this variant only 
requires two thirds of the number of exponentiations and half the number of bits 
exchanged. 

If one can solve the Diffie-Hellman problem with respect to P or eq{P,Q) 
then one can break this protocol. We are not aware of reverse results. 
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5.2 Supporting Non-repudiation and Escrowable Encryption 
with Only Public Key 

To fully support non-repudiation of digital signatures it is common practice 
not to escrow the related private keys. To prevent loss of information resulting 
from loss of private key material, or to comply with legal requirements end-users 
will typically be issued two (or even three) certificates: one for non-repudiation 
services and others for different services. 

The use of distortion mappings make it possible to employ one public key 
(and hence certificate) for a non-repudiation service as well as for an encryption 
service, in such a way that the private signing key is not escrowed, while the 
encryption service is recoverable. To describe this scheme, once again let P be a 
point on an elliptic curve E over a finite field GF(p") such that taking discrete 
logarithms in (P) is not practically possible. Assume there exists a distortion 
map D{.) on the curve that maps P to a point D{P) independent from P in the q- 
th torsion group contained in the elliptic curve over the extension field GF(p"^). 
We assume that the Weil pairing is efficiently computable on (P) x (P(P)). 
Denote the g-th root of unity Cq(P, P(P)) in GF(p"*) by g. 

In our scheme an end-user A chooses its private signing key 0 < a; < g ran- 
domly. Its public key (for both the non-repudiation and the encryption service) 
is the element y = in GF(p"^)*. The user’s certificate is based on this public 
key and also references to (or contains) the system parameters, e.g., the elliptic 
curve E, the group order g, the point P on it and the element g. To make the 
encryption service recoverable, the user also forms the point Y = x ■ P and es- 
crows this at a trusted third party. Now, the end-user could employ any discrete 
logarithm based digital signature scheme, like Schnorr, ElGamal or DSA thereby 
using the g,y and the private key x. The encryption service supported, is the 
following variant of the ElGamal P] encryption scheme: 

1. The sender generates a random 0 < k < q and symmetrically encrypts the 
information for end-user A using y^ as a session key. 

2. The sender forms the point K = k ■ P on the curve E and sends both the 
encrypted information and the point K to end-user A. 

Now, there are essentially two ways for the end-user A to decrypt information 
encrypted this way. The first way is to first calculate eg{K,D{P)) = eq{k ■ 
P,D{P)) = eq{P^D{P))^ = g^ and then secondly calculate {g^Y = which 
enables the end-user to decrypt the symmetrically encrypted information. Note 
that no secret information is required to determine g^ , so this information could 
in fact be sent along by the sender, avoiding that the end-user needs to calculate a 
Weil pairing. The second way to decrypt this information is to directly calculate 
6q{K, D(Y)) = eq{k ■ P,D{x ■ P)) = 6q{k ■ P,x ■ D{P)) = = y’^ on basis 

of Y . Note that this operation does not require the private key x but that the 
escrowed value Y suffices. Hence, if the end-user retrieves a copy of Y from his 
escrow agent then he is able to decrypt his messages when he loses his private x. 
However, the end-user is not able to make new digital signatures as determining 
the private key x from Y = x ■ P requires one to solve a discrete logarithm 
problem in the elliptic curve, which we assumed is not practically possible. 
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For an indication of security, suppose that an attacker can compute V on ba- 
sis of y, then as y is chosen randomly by the end-user, the attacker has found an 
computable injective homomorphism from {g) to {P). It follows from the argu- 
ments in Section 13 that the attacker is then also able to solve the Difhe-Hellman 
problem in both these groups. We are not aware of more rigorous security proofs. 
We finally remark that there exists a more general but less efficient variant of 
this scheme that does not require a distortion map and whereby one uses two 
independent points P, Q. We leave the details, which are straightforward, to the 
reader. 

6 Conclusion 

We have shown that the existence of any efficiently computable, injective ho- 
momorphism from the XTR subgroup in the group of points over GF(p^) on a 
supersingular elliptic curve over GF(p^) of order — p +1 implies that we can 
solve several problems that are widely believed to be hard. The Diffie-Hellman 
problem in the XTR subgroup is an example of such a problem. We have also 
shown that the Decision Diffie-Hellman problem in such elliptic curve groups is 
efficiently computable and that our results can be extended to other supersingu- 
lar elliptic curve groups. The results in this paper therefore provide evidence that 
the multiplicative group of a finite field provides essentially more, and in any case 
not less, security than the group of points of a supersingular elliptic curve of com- 
parable size. In addition to this, we have discussed generalizations to tackle the 
Decision Diffie-Hellman problem in certain groups of points on non-supersingular 
elliptic curves over finite fields. Finally, we have shown that the tools we used 
in our cryptanalysis (distortion maps) can also be used as building blocks in 
new cryptographic applications. We have illustrated that with two examples: 
an improvement of Joux’s one round protocol for tripartite Diffie-Hellman key 
exchange and a non refutable digital signature scheme that supports escrowable 
encryption. 
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Abstract. A new authentication and digital signature scheme called the 
NTRU Signature Scheme (NSS) is introduced. NSS provides an authenti- 
cation/signature method complementary to the NTRU public key cryp- 
tosystem. The hard lattice problem underlying NSS is similar to the hard 
problem underlying NTRU, and NSS similarly features high speed, low 
footprint, and easy key creation. 

Keywords: digital signature, public key authentication, lattice-based 
cryptography, NTRU, NSS 



Introduction 



Secure public key authentication and digital signatures are increasingly impor- 
tant for electronic communications and commerce, and they are required not 
only on high powered desktop computers, but also on SmartCards and wire- 
less devices with severely constrained memory and processing capabilities. The 
importance of public key authentication and digital signatures is amply demon- 
strated by the large literature devoted to both theoretical and practical aspects 
of the problem, see for example jl I‘2ld7l!lll 1 II 211 ,’ill 611 7) . 

At CRYPTO ’96 the authors introduced a highly efficient new public key 
cryptosystem called NTRU. (See 0 for details.) Underlying NTRU is a hard 
mathematical problem of finding short vectors in certain lattices. In this note 
we introduce a complementary fast authentication and digital signature scheme 
that uses public and private keys of the same form as those used by the NTRU 
public key cryptosystem. We call this new algorithm NSS for NTRU Signature 
Scheme. 

In the original version of this paper for Eurocrypt 2001, we both introduced 
NSS and optimized it for maximum efficiency and minimum signature length. 
As a result the underlying ideas and security analysis were less transparent than 
they might have been. To alleviate this problem and attempt to address some 
of the concerns of the referees, the present paper takes the following form. We 
first present a complete version of NSS and a set of parameters optimized to 
provide security comparable to RSA 1024 along with high efficiency. We then 
describe the properties of an implementation of this system at these parameters. 
The version of this paper originally submitted to Eurocrypt then provided a 
security analysis tailored specifically to these parameters. In the current version 
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we eliminate some details of the security analysis of the optimized version in 
order to include a discussion of the less efficient version. In this way we hope to 
elucidate the main ideas underlying NSS and thereby make this paper easier to 
read. Complete details of the analysis of the optimized version are available on 
our website at <www.ntru.com/technology/tech.technical.htm>. 

We also note that the signature scheme described in this paper differs in some 
respects from the scheme described by Jeff Hoffstein at the CRYPTO 2000 rump 
session. In order to optimize NSS, the rump session version used disparate sized 
coefficients whose existence was concealed by allowing p to divide q, which led to 
a statistical weakness. (This weakness was independently noted by Mironov ITTlI.l 
The use of uniform coefficients and relatively prime values for p and q makes 
NSS more closely resemble the original NTRU public key cryptosystem, a system 
that has withstood intense scrunity since its introduction at CRYPTO '96. 

The authors would like to thank Phil Hirschhorn for much computational 
assistance and Don Coppersmith for substantial help in analyzing the security 
of NSS. Any remaining weaknesses or errors in the signature scheme described 
below are, of course, entirely the responsibility of the authors. 



1 A Brief Description of NSS 

In this section we briefly describe NSS, the NTRU Signature Scheme. In order 
to avoid excessive duplication of exposition, we assume some familiarity with 
but we repeat definitions and concepts when it appears useful. Thus this paper 
should be readable without reference to @]. 

The basic operations occur in the ring of polynomials 

R = Z[X]/{X^ -1) 

of degree — 1, where multiplication is performed using the rule X^ = 1. The 
coefficients of these polynomials are then reduced modulo p or modulo q, where p 
and q are fixed integers. 

There are five integer parameters associated to NSS, 

(A^, p, 5, Dniin) //max) ■ 

There are also several sets of polynomials T having small coeffi- 
cients that serve as sample spaces. For concreteness, we mention the choice of 
integer parameters 



(Ap, g, = (251, 3, 128, 55, 87), (1) 

which appears to yield a secure and practical signature scheme. See Section 0 
for futher details. 

Remark 1. For ease of exposition we often assume that p = 3. We further assume 
that polynomials with mod q coefficients are chosen with coefficients in the 
range — g/2 to q/2. 
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The public and private keys for NSS are formed as follows. Bob begins by 
choosing two polynomials / and g having the form 

f = fo+ Pfi and g = 9o+P9i- (2) 

Here /o and go are fixed universal polynomials (e.g., /o = 1 and go = 1 — 2X) 
and /i and g\ are polynomials with small coefficients chosen from the sets Tf 
and Tg, respectively. Bob next computes the inverse of / modulo q, that 
is, satisfies 

(mod g). 

Bob’s public verification key is the polynomial 

h = f~^*g (modg). 

Bob’s private signing key is the polynomial /. 

Before describing exactly how NSS works, we would like to explain the un- 
derlying idea. The coefficients of the polynomial h have the appearance of being 
random numbers modulo q, but Bob knows a small polynomial / (i.e., / has 
coefficients that have small absolute value compared to q) with the property 
that the product g = f * h (mod q) also has small coefficients. Equivalently (see 
Section ^21, Bob knows a short vector in the NTRU lattice generated by h. It is 
a difficult mathematical problem, starting from h, to find / or to find some other 
small polynomial F with the property that G = F * h (mod q) is small. Bob’s 
signature s on a digital document D will be linked to D and will demonstrate to 
Alice that he knows a decomposition h = f~^ * g (mod q) without giving Alice 
information that helps her to find /. The mechanism by which Bob shows that 
he knows / without actually revealing its value lies at the heart of NSS and is 
described in the next section. 



1.1 NSS Key Generation, Signing, and Verifying 

We now describe in more detail the steps used by Bob to sign a document and 
by Alice to verify Bob’s signature. The key computation involves the following 
quantity. 

Definition 1. Let a{X) and b{X) be two polynomials in R. First reduee their 
eoefficients modulo q to lie between — g/2 to q/2, then reduce their eoejfieients 
modulo p to lie in the range between —p/2 and p/2. If 

d{X) = do + ■ ■ ■ + dN-iX^~^ and b{X) = bo + ■ ■ ■ + bN-iX^~^ 

are the reductions of a and b, respectively, then the deviation of a and b is 

Dev(a, 6) = #{i : di yf 

Intuitively, Dev(a, b) is the number of coefficients of a mod q and b mod q that 
differ modulo p. 
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Key Generation: This was described above, but we briefly repeat it for con- 
venience. Bob chooses two polynomials / and g having the appropriate 
form He computes the inverse f~^ of / modulo q. Bob’s public veri- 
fication key is the polynomial h = f~^ * g mod q and his private signing key 
is the pair {f,g). 

Signing: Bob’s document is a polynomial m modulo p. (In practice, m must be 
the hash of a document, see Section ^3) Bob chooses a polynomial w G Tw 
of the form 

w = ra + wi + pw 2 , 

where wi and W 2 are small polynomials whose precise form we describe later, 
see Section O He then computes 

s = f * w (mod q). 

Bob’s signed message is the pair {m, s). 

Verification: In order to verify Bob’s signature s on the message m, Alice 
checks that s yf 0 and then verifies the following two conditions: 

(A) Alice compares s to /o * to by checking if their deviation satisfies 

£>111111 < Dev(s, fo*m) < D max ■ 

(B) Alice uses Bob’s public verification key h to compute the polynomial 
t = h * s (mod q). She then checks if the deviation of t from go * m 
satisfies 

£>min < Dev(t, go*m) <D max- 

If Bob’s signature passes tests (A) and (B), then Alice accepts it as valid. 

The check by Alice that s yf 0 is done to eliminate the small possibility of 
a forgery via the trivial signature. This is described in more detail in 0 We 
defer until Section 0 below a detailed explanation of why NSS works. However, 
we want to mention here the reason for allowing s and t to deviate from fo * m 
and go * to, respectively. This permits us to take wi to be nonzero and to allow a 
significant amount of reduction modulo q to occur in the products f*w and g*w. 
This makes it difficult for an attacker to find the exact values of f * w or g * w 
over Z, which in turn means that potential attacks via lattice reduction require 
lattices of dimension 2N rather than N. 

This is the key difference between the optimized version of NSS presented 
in the next section and a somewhat less efficient version. If we take £>min = 
£>max = 0, i.e., if we allow no deviations, then a transcript will reveal f * w 
and g*w exactly. Lattices of dimension N can be reduced faster than lattices of 
dimension 2N. Consequently, for a secure version of NSS assuming no deviations 
we require a larger value of N. We will show that if N is chosen greater than 
about 700 this still gives a fast and equally secure signature scheme, albeit with 
somewhat larger key and signature sizes than the optimized version of NSS 
described in this note. 
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This concludes our overview of how NSS works. In the next section we suggest 
a parameter set and explain why we believe that it provides a level of security 
comparable to RSA 1024. Table Q] compares the efficiency of NSS to other sys- 
tems. In the following sections we provide a security analysis, although due to 
space constraints, we refer the reader to for some details, especially for the 
optimized version with Z?min, T^max > 0. 

2 A Practical Implementation of NSS 

The following parameter selection for NSS appears to create a scheme with a 
breaking time of at least 10^^ MIPS years: 

(iV,P,9,^min,^max) = (251,3,128,55,87). (3) 

This leads to the following key and signature sizes for NSS: 

Public Key: 1757 bits Private Key: 502 bits Signature: 1757 bits 

We take /o = 1 and = 1 — 2X, where recall that / = /o + pfi and 
9 = 9o + P9i ■ la order to describe the sample spaces, we let 

T(d) = {F(A1) G R : F has d coefs = 1 and = —1, with the rest 0}. 

Then the sample spaces corresponding to the parameter set Q are 

Ff = T(70), Fg = T(40), Fm = T(32). 

Note that m is a hash of the digital document D being signed. Thus the users 
must agree on a method (e.g., using SHAl) to transform D into a list of 64 dis- 
tinct integers 0 < < 251, and then m = ~ 

The polynomial w has the form w = m + wi + pw 2 , so we also must explain 
how to choose the polynomials wi and W 2 - This must be done carefully so as 
to prevent an attacker from either lifting to a lattice over Z (see Section 14.411 or 
gaining information via a reversal averaging attack (see Section I4.tiji . Roughly, 
the idea is to choose random W 2 , compute s' = f * {m + PW 2 ) (mod q) and 
t' = g * {m + PW 2 ) (mod q), choose wi to cancel all of the common deviations 
of (s', fo*rn) and {t',go*m) and to exchange some of the noncommon deviations, 
and finally to alter W 2 to move approximately 1 /p of the nonzero coefficients of 
m + wi- For the parameter set m given above, the polynomial wi has up to 
25 nonzero coefficients and W 2 is initially chosen at random from the set 7~(32). 
The precise prescription for creating w is described in Section f2. II 

We have implemented NSS in C and run it on various platforms. Table [D 
describes the performance of NSS on a desktop machine and on a constrained 
device and gives comparable figures for RSA and ECDSA signatures. 
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Table 1. Speed Comparison of NSS, RSA, and ECDSA 





Pentium 


Palm 


NSS Sign 


0.35 ms 


0.33 sec 


RSA Sign 


66.56 ms 


36.13 sec 


ECDSA Sign 


1.18 ms 


1.79 sec 


NSS Verify 


0.29 ms 


0.25 sec 


RSA Verify 


1.23 ms 


0.73 sec 


ECDSA Verify 


1.70 ms 


3.26 sec 



Notes for Tabled 

1. NSS speeds from the NERI implementation of NSS by NTRU Cryptosystems. 

2. RSA and ECDSA speeds presented by Alfred Menezes jS) at CHES 2000. 

3. RSA 1024 bit verify uses a small verification exponent for increased speed. 

4. ECDSA 163 bit uses a Koblitz curve for increased speed. Time is approximately 

doubled if a random curve over F 2163 is used. 

2.1 Selection of the Masking Polynomial w 

The polynomial w = m+wi+pw 2 has two purposes. First, it includes the message 
digest m and is thus the means by which m is attached to the signature s. Second, 
it contains polynomials wi and W 2 that introduce variability into the signature 
and prevent an attacker from gaining useful information that might be used to 
find the private key / or to directly forge a signature. 

There are two principle areas that must be addressed when selecting w. First, 
in the optimized version we must ensure that an attacker cannot lift the values 
of s = f * w (mod q) and t = g *w (mod q) to the exact values of f *w or g*w 
in Z[X], Second, we must ensure that the attacker cannot use averages formed 
from long transcripts of signatures to deduce information about f or g. 

The first item is addressed by selecting wi so as to alter many of the coeffi- 
cients of f * (m + PW 2 ) and g * {m + PW 2 ) that lie outside the range from —q/2 
to q/2. This has the effect of masking the coefficients that have suffered nontriv- 
ial reduction modulo q and prevents the attacker from undoing the reduction. 
The second item is handled by changing 1/p of the coefficients of W 2 ; this has the 
effect of forcing all second moment transcript averages to converge to 0. We now 
describe exactly how rci and W 2 are created. For ease of exposition, we assume 
that p = 3. For further details of why this procedure protects against lifting and 
averaging attacks, see | 5 |. 

The first step is to choose a random polynomial W 2 G T^dw^)- That is, W 2 
has a specified number of I’s and — I’s. For example, the parameter set (0 takes 
W 2 G T(32). The next step is to compute preliminary signature polynomials 

s' = f * {m + PW 2 ) (mod g) and t' = g * {m + PW 2 ) (mod g). (4) 

Next we choose wi. We start with wi = 0. We let f = 0, 1, 2, . . . , — 1 and run 

through the coefficients s' and t' of s' and t' , performing the following steps. [The 
quantity wi -Limit used below is a prespecified parameter. For the parameter 
set o, its value is 25.] 
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• If s' ^ rrii (mod p) and ^ rrii (mod p) and s' = f' (mod p), 

then set wi^i = — s' (mod p). 

• If s' ^ rrii (mod p) and t' ^ rrii (mod p) and s' ^ t' (mod p), 
then set = 1 or — I at random. 

• If s' ^ rrii (mod p) and t' = rrii (mod p), 

then with probability 25%, set wi^i = — s' (mod p). 

• If s' = rrii (mod p) and t' ^ rrii (mod p), 

then with probability 25%, set wi^i = rrii —t[ (mod p). 

• If i = iV — 1 or if wi{X) has more than wi-Limit nonzero coordinates, the 
construction of tci is complete. 

Finally, we need to make some alterations to W 2 to prevent the averaging 
of long transcripts of signatures. This is done by taking each coefficient W 2 ,i, 
0 < i < N, and with probability 1/3, replacing it with with W 2 ,i — rrii — wi,i- 
This completes the description of how wi and W 2 are chosen. 

3 Completeness of NSS 

A signature scheme is deemed to be complete if Bob’s signature, created with 
the private signing key /, will be accepted as valid. Thus we need to check that 
Bob’s signed message (m, s) passes the two tests (A) and (B). 

3.1 The Norm of a Polynomial 

In order to analyze the two verification conditions we briefly digress to discuss 
norms of polynomials. 

Let 

= ao T o,iX ci2X^ -I- • • • -I- ajy—iX^ ^ 

be a polynomial with integer coefficients and let p be the average of the coeffi- 
cients. We define the centered Euclidean Norm and the Sup Norm of a, denoted 
respectively ||a|| and ||a||oo) by the formulas 

ll«ll = V (a .0 - -\ h (flAT-i - /r)2 and ||a||oo = max{|ao|, . . . , |aAr_i|}. 

In our examples, p will be close to or equal to zero. 

We require certain facts about polynomials with small coefficients. For ran- 
dom polynomials with small coefficients such as / and w, it is generally true 
that 



11/ * w'll ~ ll/ll • Ikll and II/* w||oo ~ 7 II/II • Ikll, (5) 

where 7 < 0.15 for N < 1000. The NTRU cryptosystem relies on these properties 
of small polynomials, which are discussed in 0. (Note that the infinity norm 
defined in is actually twice the infinity norm defined here.) 

With this background we now easily check the completeness of NSS. 
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Test (A): The polynomial s that Alice tests is congruent to the product 

s = f * w (mod q) 

= ifo + Pfi){rn + wi + PW 2 ) (mod g) 

= fo * m + fo * Wi + pfo * W 2 + pfi * w (mod q). 

We see that the z*** coefficients of s and fo * m will agree modulo p unless 
one of the following situations occurs: 

• The z*** coefficient of fo * zci is nonzero. 

• The z**' coefficient of / * zc is outside the range (— g/2, g/2], so differs 
from the z*^ coefficient of s by some multiple of q. 

The estimates in Q tell us that before reduction modulo q, the absolute 
value of the coefficents of / * zc is bounded above by 7 ||/|| • ||zz>||. As long 
as this quantity does not greatly exceed q/2, little reduction modulo q will 
take place. If the parameters and sample spaces are chosen properly (e.g., as 
in Section O) then there will be at least Umin and at most Umax deviations 
between s mod p and m mod p. Alternatively, if ||/|| and ||z(;|| are sufficiently 
small, then no reduction modulo q will take place and one can set Umin = 
Umax = 0. Thus Bob’s signature will pass test (A). 

Test (B): The polynomial t is given by 

t = h * s = {f~^ * g) * {f * w) = g * w (mod q). 

Since g has the same form as /, the same reasoning as for test (A) shows 
that t will pass test (B). 



Remark 2. We have indicated why, for appropriate choices of parameters, Bob’s 
signature will probably be accepted by Alice. Note that when Bob creates his 
signature, he should check to make sure that it is a valid signature. For the pa- 
rameters {N,p, g, Umin, Umax) = (251, 3, 128, 55, 87) from Section|3 we see from 
Table 0that the probability that Dev(s, fo * m) is valid is approximately 87.33% 
and the probability that Dev(t,go * nz) is valid is approximately 90.92%. Thus 
Bob’s signature will be valid about 79.40% of the time. Of course, if it is not 
valid, he simply chooses a new random polynomial W 2 and tries again. In prac- 
tice it will not take very many tries to find a valid signature. The timings given 
in Tabled take this factor into account. 



4 Security Analysis of NSS 

It was shown in Section 0 that given a message rrz. Bob can produce a signature s 
satisfying the necessary requirements. In this section we discuss various ways in 
which an observer Oscar might try to break the system. There are many attacks 
that he might try. For example, he might attempt to discover the private key / or 
a useful imitation, either directly from the public key h or from a long transcript 



NSS: An NTRU Lattice-Based Signature Scheme 



219 



Table 2. Deviations Between fo * m and s and Between go * m and t 



Range 


Dev(s, fo * m) 


Dev(t, go * m) 


32 to 39 


0.02% 


0.08% 


40 to 47 


0.38% 


0.99% 


48 to 55 


3.53% 


6.98% 


56 to 63 


14.21% 


26.32% 


64 to 71 


27.58% 


37.79% 


72 to 79 


28.51% 


21.22% 


80 to 87 


17.03% 


5.58% 


88 to 95 


6.54% 


0.90% 


96 to 103 


1.74% 


0.11% 


104 to 158 


0.46 


0.02% 



(N,p,q) = (251,3, 128)— 10® Trials 



of valid signatures. He might also try to forge a signature on a message without 
first finding the private key. We describe the hard lattice problems that underlie 
some of these attacks and examine the success probabilities of other attacks 
that rely on random searches. In all cases we explain why the indicated attacks 
are infeasible for an appropriate choice of parameters such as those given in 
Section 0 Due to space constraints, we must refer the reader to jS| for many of 
the technical details related to the analysis of the optimized parameter set. 

4.1 Random Search for a Valid Signature on a Given Message 

Given a message m, Oscar must produce a signature s satisfying: 

(A) Dmin < Dev(s, fo*m) < D max- 

(B) Drain < Dev(t,go * m) < Dmax, where t=s*h (mod q). 

If ^^min = Dyaax = 0 these Conditions become: 

(A') s = fo*rn (mod p). 

(B') t = h* s (mod q) satisfies t = go * m (mod p). 

The most straightforward approach for Oscar is to choose s at random sat- 
isfying condition (A), which is obviously easy to do, and then to hope that t 
satisfies condition (B). If it does, then Oscar has successfully forged Bob’s sig- 
nature, and if not, then Oscar can try again with a different s. Thus we must 
examine the probability that a randomly chosen s satisfying (A) will yield a t 
that satisfies (B). 

The condition (A) on s has no real effect on the end result t, since t is 
formed by multiplying s * h and reducing the coefficients modulo q, and the 
coefficients of h are essentially uniformly distributed modulo q. Thus we are really 
asking for the probability that a randomly chosen polynomial t with coefficients 
between —q/2 and q/2 will satisfy condition (B). This is easily computed using 
elementary probability theory. 
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The coefficients of a randomly chosen t can be viewed as N independent ran- 
dom variables taking values uniformly modulo q. The coefficients of m are fixed 
target values modulo p. We need to compute the probability that a randomly 
chosen Wtuple of integers modulo q has at least Umin and no more than Umax 
of its coordinates equal modulo p to fixed target values. Assuming that q is 
significantly larger than p, this probability is approximately 



Prob(Umin < Dev(t, go*m) < D max) 



1 



E 



d=Dn 




{p-lf. 



(Notice that for condition (B'), the probability is p~^ , since all N “random” 
coefficients of t (mod p) must match go * m.) Table 0 gives this probability 
for {N,p) = (251,3) and several values of Umin and Umax- For example, the 
table shows that for U = 87, the probability of a successful forgery using a 
randomly selected s is approximately 



Table 3. Probability Random t Satisfies Umin < Dev(t,^o * ui) < Umax 



-^min 


-^max 


Probability 


55 


82 


2-9U.S6 


55 


87 


2~su.yf) 


55 


92 


to 

1 

b. 

O: 


55 


98 


t)l 



4.2 NTRU Lattices and Lattice Attacks on the Public Key 

Oscar can try to extract the private key / from the public key h with or with- 
out a long transcript of genuine signatures. Alternatively, he can try to forge a 
signature without knowledge of /, using only h and a transcript. In this section 
we discuss attempts by Oscar to obtain the private key from the public key by 
lattice reduction methods. As is the case with the NTRU cryptosystem, recov- 
ery of the private key by this means is equivalent to solving a certain class of 
shortest or closest vector problems. 

We begin with a brief exposition of our approach to the analysis of lattice 
reduction problems. We have perfomed a large number of computer experiments 
to quantify the effectiveness of current lattice reduction techniques. This has 
given us a strong empirical foundation for analyzing and quantifying the vul- 
nerability of several general classes of lattices to lattice reduction attacks. The 
following analysis and heuristics applies to the lattices discussed in this paper. 
(See also the lattice material in the papers f,3l4lbt/j .l 

Let L be a lattice of determinant d and dimension n. Let vq denote a given 
fixed vector, possibly the origin. Let r denote a given radius and consider the 
problem of locating a vector v G L such that ||t! — uo|| < r. The difficulty of 
solving this problem for large n is related to the quantity 




NSS: An NTRU Lattice-Based Signature Scheme 221 



K = K(L,r) = — ^ (6) 

d^/'^y/n({2TTe) 

Here the denominator is the length that the gaussian heuristic predicts for the 
shortest expected vector in L. See 0 for a similar analysis. 

If K < 1, then the gaussian heuristic says that a solution, if one exists at all, 
will probably be unique (or unique up to obvious symmetries of the lattice) . The 
closer that k is to 0, the easier it will be to find the unique solution using lattice 
reduction methods. As k gets close to 1, lattice reduction methods become less 
effective. 

For example, let {Ln,rn,vo^n) be a sequence of lattices, radii, and target 
vectors of increasing dimension n that contain a target vector Vn £ L„ (i.e., 
satisfying \vn — vo,n\ < Tn) and whose k values satisfy 

= n{Ln, Tn) = cl^fn (7) 

for a constant c. Then our experiments suggest that the time necessary for 
lattice reduction methods to find the target vector Vn grows like for a value 
of a that is roughly proportional to c. Similarly, if k > 1, then a solution will 
probably not be unique, but it becomes progressively harder to find a solution 
as K approaches 1. 

We must stress here that the above statements are not intended to be a 
proof of security or to convey any assurance of security. They merely supply a 
conceptual framework that we have found useful for formulating working param- 
eter sets. The lattices associated to these parameter sets are then subjected to 
extensive experimental testing. 

Recall from 0 that the public key has the form h = f ^ * g (mod q), where 
f = fo + pfi and g = go + pgi ■ As this is very similar to the form of an NTRU 
public key, a 2fV-dimensional lattice attack based on the shortest vector can be 
used to try to derive / and g from h. See for details on the NTRU lattice 
and the use of lattice reduction methods to compute the shortest expected vector. 

If we identify polynomials with their vector of coefficients, then the 2N- 
dimensional NTRU lattice consists of the linear combinations of the 2N 
vectors in the set 

{{X\XUh) : 0 < f < iV} U {(0,gX*) : 0 < i < A^}. 

Equivalently, is the set of all vectors (F{X), F{X) * h{X)), where F{X) 
varies over all Wdimensional vectors and the last N coordinates are allowed to 
be changed by arbitrary multiples of q. It is not hard to see that the vector (/, g) 
is contained in and will be shorter than the expected shortest vector of 
(i.e., K < 1). Thus in principle, (f,g) should be essentially unique and findable 
by lattice reduction methods. 

A more effective attack is to use the knowledge of fo,go to set up a clos- 
est vector attack on fi,gi in the same 2Wdimensional lattice The object is to 
search for the vector in that is closest to the vector (0, {go — fo* h)p'), 
where pp' = 1 (mod q). If successful, this attack produces a small F such that 
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G = F * h — {go — fo * h)p' (mod q) is also small. Then (/o + pF, go + pG) is ei- 
ther the original key or a useful substitute. With this approach, after balancing 
the lattice as in we obtain the following estimate for the constant c in equa- 
tion Q: 



c > 2\/7re||/i||||5i||/g. (8) 

Experimental evidence shows that if L runs through a sequence of NTRU 
type lattices of dimension 2N with N > 80 and q ~ N/2 and if the constant 
c of d3) satisfies c > 3.7, then the time T (in MIPS-years) necessary for the 
LLL reduction algorithm to find a useful solution to the closest vector problem 
satisfies 



logT> 0.17077V -15.82. (9) 

Thus if TV = 251 and c = 3.7, one has T > 5 • 10^^ MIPS-years. 

For the optimized version of NSS presented in Section El we have N = 251 
and c > 5.3. Since larger c values in o yield longer LLL running times, we see 
that the time to find the target vector should be at least 10^^ MIPS-years, and 
is probably considerably higher. In general, we obtain this lower bound provided 
that N,Ff,Fg are chosen so that ||/i||, ||ffi|| give a large enough value for c in 
( 0 . 



4.3 Lattice Attacks on Transcripts 

Another potential area of vulnerability is a transcript of signed messages. Oscar 
can examine a list of signatures s, s' , s” , which means that he has at his 
disposal the lists 

f w, fw' , fw" ,... mod q and gw, gw' , gw" ,... mod q. (10) 

If Oscar can determine any of the w values, then he can easily recover / and g. 
Using division, Oscar can obtain w~^w' mod q and other similar ratios, so he can 
launch an attack on the pair {w, w') identical to that described in the preceding 
section. As long as ||r(;||, ||/||, and H^H are about the same size, the value of k will 
remain the same or increase, leading to no improvement in the breaking time. 

Oscar can also set up a fcA-dimensional NTRU type lattice using the ratios 
of signatures w^^'> /w^^\w^'^'> /w^^\ . . . , w^^'> /w^^\ The target is (w*-^\ . . . , 

With this approach the value of k decreases as k increases, giving the attacker 
a potential advantage, but the increasing dimension more than offsets any ad- 
vantage gained. With the parameters given in Section El the optimal value of k 
for the attacker is k = 10, giving k = i.87 /y/lON . This is a bit better than the 
c > 5.3 coming from the original 2N dimensional lattice, but still considerably 
worse than the c = 3.7 that gave us the original lower bound of 10^^ MIPS-years. 

There are several other variations on the lattice attacks described in this and 
the previous section, but none appears to be stronger then the closest vector 
attack on the public key given in Section tt.2l 
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4.4 Lifting a NSS Signature Lattice to Z 

Recall that an attacker Oscar is presumed to have access to a transcript of signed 
messages such as given in (Cni). Various ways in which he might try to exploit this 
mod q information are described in Sections OI In this section we are concerned 
with the possibility that Oscar might lift the transcript information GDI) and 
recover the values of f * w, f * w' . exactly over Z. 

This is the primary area where the signature scheme with zero deviations 
differs from the optimized scheme. If the signatures can be recovered over Z, as 
they can be if Z?min = L^max = 0, then two additional lattice attacks are made 
possible. In the optimized scheme of Section 0, we ensure that a lift back to Z 
is impractical by making the number of possible liftings greater than 2®°. This 
leaves Oscar with only the lattice attacks described in Sections 14.21 a, nd 14.31 a.nd 
allows us to take N = 251 while maintaing a breaking time in excess of 10^^ 
MIPS years. 

We now investigate the attacks that are possible if such a lifting can be 
accomplished. This analysis, irrelevant for the optimized parameters, allows us 
to set parameters for a simpler variant of NSS with Z?niin = L^max = 0. 

Suppose that Oscar forms the lattice L' generated by X'^*f*w with 0 < i < N 
and a few different values of w (or similarly for X'^*g*w). It is highly likely that 
the shortest vectors in L' are the rotations of /. Essentially, Oscar is searching 
for a greatest common divisor of the products f * w, though the exponentially 
large class number of the underlying cyclotomic field greatly obstructs the search. 
Although it is still not easy to find very short vectors in the lattice L' using lattice 
reduction, the fact that dim(L') = N, as compared to the NTRU lattice of 
dimension 2N, means that L' is easier to reduce than . 

The difficulty of finding a solution to the shortest vector problem for the 
lattice L' appears to be related, as one might expect, to the magnitude of the 
norm of /. For example, if one considers a sequence of lattices L' of dimension N 
formed with / satisfying ||/|| Ri y^2N/3, then our experiments have shown that 
the extrapolated time necessary for the LLL reduction algorithm to locate / is 
at least T MIPS years, where T is given by the formula 

log T = 0.1151iV - 7.9530. (11) 

As the norm of / is reduced, the time goes down. For example, if we take 
II /II ~ -\/0.068N, then our experiments show that the breaking time is greater 
than the T given by the formula 

log T = 0.07857V - 6.2305. (12) 

One further lattice attack of dimension 27V is enabled if a lifting to Z is 
possible. One can view it as an alternative attack on the gcd problem. Given 
two products f * w and g * w, one can reduce these modulo any integer Q and 
then take the ratio, obtaining f~^ * g modulo Q. This is very similar to the 
original problem of finding the private key from the public key, but there is an 
important difference. The integer Q can be chosen as large as desired, which has 
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the effect of decreasing the value of k. As a result, it becomes easier to reduce the 
lattice. The advantage of making Q larger does not continue indefinitely, and the 
ultimate result is to reduce the effective dimension of the lattice from 2N to N. 
Experiments have shown that when / and g satisfying ||/|| = ||(;|| = ^^/2N/3 are 
used to generate these lattices and an optimal value of Q is chosen for each N, 
the extrapolated time necessary for the LLL reduction algorithm to locate / is 
at least T MIPS years, where T is given by the formula 

log T = 0.0549fV+ 1.7693. (13) 

This third approach seems to be the strongest attack, yielding a lower bound 
of 10^^ MIPS years when N > 680. As with the A^-dimensional lattice, decreas- 
ing the norms of / and g does not seem to lower the slope of the line very much, 
while increasing the norms increases the slope somewhat. A closest vector at- 
tack on (/i,gi) might decrease this lower bound a bit, but should not alter it 
substantially. 

4.5 Forgery via Lattice Reduction 

The opponent, Oscar, can try to forge a signature s on a given message m by 
means of lattice reduction. We show in this section that an ability to accomplish 
this implies an ability to consistently locate a very short vector in a large class 
of {2N + l)-dimensional lattices. 

First consider the case that Omin = 7?max = 0, so Oscar must find a polyno- 
mial s satisfying s = fo * m (mod p) and such that t = h * s (mod q) satisfies 
t = go * m (mod p) . Let rrig and rrit be the polynomials with coefficients be- 
tween —p/2 and p/2 satisfying nis = fo * m mod p and rrit = go * mmodp, 
respectively. Consider the {2N + l)-dimensional lattice generated by 

{{X\X^ *h,Q) : 0 < * < iV} U {(0,gA\0) : 0 < f < TV} U {(ms,mt, 1)}. 

Then Lm contains the vector t = (s — ms,t — mt, —1)- The norm of r can be 
estimated by assuming that its coordinates are more-or-less randomly distributed 
in the interval [—q/2,q/2]. This yields ||r|| Ri q^jN/Q. 

The vector r is also contained in the lattice Lp = (pZ)^'^ © Z. Let = 
Lm n Lp be the intersection. In other words, letting In denote the iV-by-A^ 
identity matrix and H the N-hy-N circulant matrix formed from the coefficients 
of the public key h, the lattice Lm,p is the intersection of the lattices generated 
by the rows of the following matrices: 





'In H o' 




pIn 0 0 


Lm,p — 


0 qiN 0 


n 


0 pIn 0 




rus mt 1 




0 0 1 



Then Lm,p has determinant equal to (detL)p^^. Referring to (0 we see that 

K Ri \/ 7reg/6p^. 
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For example, {N,p,q) = (719,3,359) gives k ~ 7.5. This means that the 
construction of a signed message is equivalent to finding a vector in Lm,p that 
is about 7.5 times longer than the expected shortest vector. It follows that if 
Oscar is able to forge messages with a reasonable probability, then with reason- 
able probability he can also find vectors within a factor of 7.5 of the shortest 
vector. Experiments have indicated that for N Ri 700, it requires far in excess of 
10^^ MIPS-years to find such a vector in the {2N -|- l)-dimensional lattice L^ p. 
We note also that the probability that such a vector would have all of its coeffi- 
cients bounded in absolute value by q/2 is extremely low. 

The case of the optimized parameters of Section |2| is similar. Oscar’s best 
strategy is probably to simply choose mg at random having the correct properties 
(i.e., with Dev(ms, /o * ’m) in the allowable range) and to choose 

rrit = go * m mod p 

exactly. The optimized parameters {N,p, q) = (251, 3, 128) lead to a 503-dimen- 
sional lattice with k = 4.5. Oscar must first try to find a vector no more than 4.5 
times longer than the shortest vector. He must then refine his search so that the 
first N coordinates of his vector have absolute value less than q/2 and so that 
the second N coordinates have at least 55 and no more than 87 coordinates 
with absolute value greater than q/2. The norm condition alone requires about 
10® MIPS years for LLL to produce a candidate. Experiments indicate that if 
the necessary additional constraints are placed on the sup norms of the vectors, 
then the required time will significantly exceed 10®^ MIPS years. 

Another, less efficient, forgery attack requiring a 3iV-dimensional lattice is 
described in detail in 0. 

In conclusion, forgery solutions probably exist in both the general and the 
optimized versions of NSS, but the time required to find a forgery is sufficiently 
large so as to preclude a successful attack based on this approach. 



4.6 Transcript Averaging Attacks 

As mentioned previously, examination of a transcript (II 111 of genuine signatures 
gives the attacker a sequence of polynomials of the form 

s = f *w= {fo+pfi){m + wi+pw 2 ) (mod g) 

with varying wi and W 2 - A similar sequence is known for g. Because of the 
inherent linearity of these expressions, we must prevent Oscar from obtaining 
useful information via a clever averaging of long transcripts. 

The primary tool for exploiting such averages is the reversal of a polynomial 
a{X) G R defined by p{a) = a(X~^). Then the average of a*p{a) over a sequence 
of polynomials with uncorrelated coefficients will approach the constant ||a||^, 
while the average of a' * p(a) over uncorrelated polynomials will converge to 0. 
If m, w\, and W 2 were essentially uncorrelated, then Oscar could obtain useful 
information by averaging expressions like s* p(m) over many signatures. Indeed, 
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this particular expression would converge to /||m|p, and thus would reveal the 
private key /. 

There is an easy way to prevent all second moment attacks of this sort. 
Briefly, after m, wi, and a preliminary W 2 are chosen, Bob goes through the 
coefficients of m + and, with probability 1 /p, subtracts that value from the 
corresponding coefficient of W 2 - This causes averages of the form a* p{b) created 
from signatures to equal 0. For further details on this attack and the defense 
that we have described, see We also mention that it might be possible to 
compute averages that yield the value of f * p{f) and averages that use fourth 
power moments, but the former does not appear to be useful for breaking the 
scheme and the latter, experimentally, appears to converge much too slowly to 
be useful. Again we refer to [E| for details. 

4.7 Forging Messages to Known Signatures 

Another possible attack is to take a list of one or more valid signatures (s, t, m), 
generate a large number of messages m', and try to And a signature in the list that 
validly signs one of the messages. It is important to rule out attacks of this sort, 
since for example, one might take a signature in which m says “lOU $10” and try 
to And an to' that says “lOU $1000”. Note that this attack is different from the 
attack in Section o in which one chooses an to and an s with valid Dev(s,TO) 
and hopes that t = h*s (mod q) has a valid Dev(t, gQ*m). The fact that (s, t, to) 
is already a valid signature implies some correlation between s and t, which may 
make it more likely that (s,t) also signs some other to'. 

In the case of zero deviations, if signature encoding is used as suggested in 
Section I4.t)l then it is quite clear that the probability of a successful attack by 
this method is negligable. 

In the case of the optimized parameters the situation is somewhat harder to 
analyze, but a conservative probabilistic estimate shows that the possibility of a 
successful forgery is less than 2“®^. For added security, one can reduce the value 
of Tlmax to 81. This makes it only a little harder to produce a valid signature 
while reducing the above probability to less than 2“®^. See 0 for details. 

4.8 Soundness of NSS 

A signature scheme is considered sound if it can be proved that the ability to 
produce several valid signatures on random messages implies an ability to recre- 
ate the secret key. We can not prove this for the parameters given in Section El 
which have been chosen to maximize efficiency. Instead, the preceding sections 
on security analysis make a strong argument that forgery is not feasible without 
the private key, and that it is not feasible to recover the private key from either 
a transcript of valid signatures or the public key. 

We can, however, make a probabilistic argument for soundness under certain 
assumptions. For example, recall from Section ^3 that the existence of a signed 
message (to, s) implies the existence of a vector in a lattice which is a factor 
of K = times larger than the expected smallest vector. We have 
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chosen p = 3 for efficiency, but if p is somewhat larger, for fixed N, then n will 
be less than 1 . This implies that the existence of such a vector by random chance 
is extremely unlikely, and that such a vector is probably related to a genuine 
product f * w. If we assume the ability of Oscar to produce such products on 
demand, given an input to, with a somewhat larger p it is not too hard to see 
that Oscar can probably recover fi. 

4.9 Signature Encoding 

In practice, it is important that the signature be encoded (i.e., padded and 
transformed) so as to prevent a forger from combining valid signatures to pro- 
duce new valid signatures. For example, let si and S2 be valid signatures on 
messages toi and TO2, respectively. Then there is a nontrivial possibility that 
the sum si -|- S2 will serve as a valid signature for the message toi -I- to- 2. This 
and other similar sorts of attacks are easily thwarted by encoding the signature. 
For example, one might start with the message M (which is itself probably the 
hash of a digital document) and concatenate it with a time/date stamp D and 
a random string R. Then apply an all-or-nothing transformation to M||I?||i? to 
produce the message to to be signed using NSS. This allows the verifier to check 
that TO has the correct form and prevents a forger from combining or altering 
valid signatures to produce a new valid signature. 

This is related to the more general question of whether or not Oscar can 
create any valid signature pairs (to, s), even if he does not care what the value 
of TO is. When encoding is used, the probability that a random to will have a 
valid form can easily be made smaller than 
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Abstract. At EuroCrypt’99, Paillier proposed a new encryption scheme 
based on higher residuosity classes. The new scheme was proven to be 
one-way under the assumption that computing N-residuosity classes in 
Z '^2 is hard. Similarly the scheme can be proven to be semantically secure 
under a much stronger decisional assumption: given w € Z ’^2 it is hard 
to decide if w is an A-residue or not. 

In this paper we examine the bit security of Paillier’s scheme. We prove 
that, if computing residuosity classes is hard, then given a random w it 
is impossible to predict the least significant bit of its class significantly 
better than at random. This immediately yields a way to obtain semantic 
security without relying on the decisional assumption (at the cost of 
several invocations of Paillier’s original function). 

In order to improve efficiency we then turn to the problem of simulta- 
neous security of many bits. We prove that Paillier’s scheme hides n — 6 
(up to 0{n)) bits if one assumes that computing the class c of a ran- 
dom w remains hard even when we are told that c < 2*’. We thoroughly 
examine the security of this stronger version of the intractability of the 
class problem. 

An important theoretical implication of our result is the construction of 
the first trapdoor function that hides super-logarithmically (up to 0(n)) 
many bits. We generalize our techniques to provide sufficient conditions 
for a trapdoor function to have this property. 



1 Introduction 

At EuroGrypt’99 Paillier jf l)j proposed a new encryption scheme based on higher 
residuosity classes. It generalized previous work by Okamoto and Uchiyama 
P]. Both works are based on the problem of computing high-degree residuos- 
ity classes modulo a composite of a special form (in Paillier’s the modulus is N'^ 
where TV is a typical RSA modulus, while in the modulus is N = p^q where 
p,q are large primes.) 

* The first author’s research was carried out while visiting the Computer Science 
Department of Columbia University. 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 223- 1^1^ 2001. 
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The mathematical details are described below, but for now let us sketch 
the basics of Paillier’s scheme. It can be shown that can be partitioned 
into N equivalence classes generated by the following equivalence relationship: 
a,b G are equivalent iff ah~^ is an 7V-residue in ^^ 2 - The A^-residuosity 
class oi w G is the integer c = Class{w) such that w belongs to the 
residuosity class (in a well specified ordering of them). The conjectured hard 
problem is: given a random w, compute c. It can be shown that computing 
c = Class{w) is possible if the factorization of N is known. 

Thus Paillier suggests the following encryption scheme: To encrypt a message 
m G Zn, the sender sends a random element w G Z ^2 such that Class(w) = m 
(this can be done efficiently as it is shown later). The receiver who knows the 
factorization of N, given w can compute m. 

If we assume that computing residuosity classes is hard, then this scheme is 
simply one-way. Indeed even if computing the whole of m is hard, it is possible 
that partial information about m can be leaked. 

What we would like to have is instead a semantically secure scheme. Seman- 
tic security (introduced by Goldwasser and Micali in fZj) basically says that to 
a polynomial time observer the encryption of a message m should look indis- 
tinguishable from the encryption of a different message m' . Paillier’s scheme is 
semantically secure if we assume a stronger decisional assumption: given a ran- 
dom element w G Z ^2 it is impossible to decide efficiently if w is an Wresidue 
or not. 

Hard-Core Bits. The concept of hard-core bits for one-way functions was 
introduced by Blum and Micali in j^. 

Given a one-way function / : {0, 1}" — >■ {0, 1}" we say that tt : {0, 1}" — 
{0, 1} is a hard-core predicate for / if given y = f{x) it is hard to guess n{x) 
with probability significantly higher than 1/2. Another way of saying this is that 
if X is chosen at random then tt{x) looks random (to a polynomial time observer) 
even when given y = f{x). 

Blum and Micali showed the existence of a hard-core predicate for the dis- 
crete logarithm function. Later a hard-core bit for the RSA/Rabin functions was 
presented in fQ. Goldreich and Levin in jS| show that any one-way function has 
a hard-core predicate. 

The concept can be generalized to many hard bits. We say that k predicates 
7Ti, . . . , TTfc are simultaneously hard-core for / if given f{x) the collection of bits 
TTi{x), . . . , TTk{x) looks random to a polynomial time observer. 

Our Result: In this paper we investigate the hard core bits of Paillier’s new 
trapdoor scheme. We first prove that the least significant bit of the c = Class{w) 
is a hard-core bit if we assume computing residuosity classes is hard. In other 
words we show that given a random w G Z^ 2 , if one can guess lsb{Class{w)) 
better than at random, then one can compute the whole Class{w) efficiently. 

Let n = \N\. The result above can be generalized to the simultaneous hard- 
ness of the least O(logn) bits using standard techniques. We then show that by 
slightly strengthening the assumption on computing residuosity classes we are 
able to extract many more simultaneously hard-core bits. More precisely, for any 
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w(logn) < b < n we show that Paillier’s scheme hides the n — b least significant 
bits, if we assume that computing residuosity classes remain hard even if we are 
told that the class is smaller than 2^. 

The residuosity class problem seems to remain hard even in this case. Ac- 
tually we see no way to exploit knowledge of the bound (i.e. the fastest known 
algorithm to compute c even in this case is to factor N) . We discuss this further 
in section El 

An interesting feature of our construction is that the number of bits hidden 
by the function is related to the underlying complexity assumption that one is 
willing to make. The smaller the bound is (i.e. the stronger the assumption), the 
more bits one can hide. 

A Theoretical Implication. If / is a trapdoor permutation that simultane- 
ously hides k bits, then we can securely encrypt k bits with a single invocation 
of / (as originally described in (2|). 

However, for all previously known trapdoor functions (like RSA) /:{0, 1}" —I 
{0, 1}" we only know how to prove that k = O(logn) bits are simultaneously 
hard-core. Thus to securely encrypt m bits one needs to invoke the function 
l7(m/logn) times. 

Another way to look at our result is that we show a candidate trapdoor 
function that hide up to 0{n) bits. To our knowledge this is the first example of 
trapdoor problems with a super-logarithmic number of hard-core predicates. 

We also generalize our construction to a large class of trapdoor functions by 
giving sufficient conditions for a trapdoor function to hide super-logarithmically 
many bittQ. 

Decisional Assumptions. As we mentioned earlier, the scheme of Paillier mg 
can also be proven to be semantically secure under a decisional problem involving 
residuosity classes. In other words if assuming that deciding Wresiduosity is 
hard, then his scheme hide all n input bits. 

Notice however the difference with our result. We prove that these two 
schemes hide many bits, under a computational assumption, about computing 
residuosity class. 

Decisional assumptions are very strong. Basically a decisional problem is a 
true/ false question which we assume the adversary is not able to solve. Con- 
versely computational assumptions (only) require that the adversary cannot 
compute the full solution of a computational problem. Thus, whenever possi- 
ble, computational assumptions should be preferred to decisional ones. 

The goal of this paper is to show example of trapdoor functions that hides 
several bits without resorting to true/false questions. 



^ The above discussion implicitly rules out iterated functions. Indeed ^ shows that if 
f{x) is a one-way function and tt{x) is a hard-core predicate for it, then the iterated 
function f^{x) is clearly also one-way and it simultaneously hide the following k bits: 
7r(a:), 7r(/(a;)), ..., -K{f^~^{x)). We are interested in functions that hide several bits in 
a single iteration. 
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Applications. The main application of our result is the construction of a new 
semantically secure encryption scheme based on Paillier’s scheme. Assuming that 
Paillier’s function securely hides k bits, we can then securely encrypt an m-bit 
message using only 0{m/k) invocations; k is of course a function of n, the 
security parameter of the trapdoor function. We can do this without resorting 
to the decisional assumption about Wresiduosity, but simply basing our security 
on the hardness of computing residuosity classes. 

Today we can assume that n = 1024. Also in practice public-key cryptogra- 
phy is used to exchange keys for symmetric encryption. Thus we can then assume 
that m = 128. With a reasonable computational assumption we can encrypt the 
whole 128-bit key with a single invocation of Paillier’s scheme. The assumption 
is that computing the class is hard even when we are promised that c < 

We discuss this new scheme and make comparisons with existing ones in 
Section 0 

1.1 Related Work 

Computing high-degree residuosity classes is related to the original work of Gold- 
wasser and Micali 0 who suggested quadratic residuosity in Z’^ as a hard trap- 
door problem (where N is an RSA modulus). Later Benaloh |2| generalized this 
to deciding s-residuosity where s is a small prime dividing 4>{N). In Benaloh’s 
scheme, s is required to be small (i.e. |s| = O(logn)) since the decryption pro- 
cedure is exponential in s. By changing the structure of the underlying field, 
Okamoto-Uchiyama in Pj and Paillier in m were able to lift this restriction 
and consider higher degree residuosity classes. 

The idea of restricting the size of the input space of a one-way function in 
order to extract more hard bits goes back to Hastad et al. 0. They basically 
show that the ability to invert f{x) = mod N when x is a random integer 
X < 0{'/N) is sufficient to factor N. Then they show that discrete log mod- 
ulo a composite must have n/2 simultaneously hard bits, otherwise the above 
restricted-input function can be inverted (i.e. we could factor N). 0 shows the 
first example of one-way function with a superlogarithmic number of hard-core 
bits. No such examples was known for trapdoor function. 

Building on ideas from 0, Patel and Sundaram in HH show that if one 
assumes that f{x) = g^ mod p (with p prime) remains hard to invert even when 
X < B, then discrete logarithm simultaneously hide k — b bits {k = \p\,h — |i?|). 
In their case, as in ours, one must make an explicit computational assumption 
about the hardness of inverting the function with small inputs. There is an 
important difference between HD and our computational assumption though. 
In HH we know that there exist algorithms to find x < B given y = g^ , which 
run in 0{VB) steps. In our case , as discussed in section HTtl an attack with a 
similar complexity is not known. 
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1.2 Paper Organization 

In Section |3 we describe in detail the scheme based on Paillier’s function. In 
Section 2] we generalize our result to a larger class of trapdoor functions, giving 
sufficient conditions for a trapdoor function to hide super-logarithmically many 
bits. We then discuss applications to public- key encryption and comparisons to 
other schemes in Section El Our work raises some interesting open problems 
which we list at the end in Section El 



2 Definitions 



In the following we denote with N the set of natural numbers and with R+ 
the set of positive real numbers. We say that a function negl : N — >■ R+ is 
negligible iff for every polynomial P(n) there exists a no G N s.t. for all n > no, 
negl(n) < 1/P(n). We denote with VTZIM£S{k) the set of primes of length k. 

If A is a set, then a ^ A indicates the process of selecting a at random and 
uniformly over A (which in particular assumes that A can be sampled efficiently) . 

Trapdoor Permutations. Let /„ : {0, 1}" — >■ {0, 1}" be a family of permuta- 
tions. We say that /„ is a trapdoor family if the following conditions hold: 

— fn can be computed in polynomial time (in n) 

— fn can be inverted in polynomial time only if given a description of fn^. I.e. 
for any probabilistic polynomial time Turing Machine A we have that 

Pr[a: ^ {0, 1}"; M(/„, /„(a;)) = x] = negl(n) 

The above notion can be generalized to probabilistie functions where each /„ : 
{0, 1}" X {0, 1}’’ — >■ {0, !}"+’■ is a permutation, but we look at the second ar- 
gument as a random string and we assume that given y G {0, 1}"+’’ we cannot 
compute the first argument, i.e. for any probabilistic polynomial time Turing 
Machine A we have that 



Pr[x ^ {0, 1}”; s ^ {0, 1}’'; M(/„, /„(x, s)) = a:] = negl(n) 



Hard-Core Bits. A Boolean predicate tt is said to be hard for a function 
fn if no efficient algorithm A, given y = f{x) guesses tt(x) with probability 
substantially better than 1/2. More formally for any probabilistic polynomial 
time Turing Machine A we have that 



Pr[a; ^ {0, 1}”; M(/„, fn{x)) = 7r(a:)] - ^ 



negl(n) 



For one-way functions fn, a possible way to prove that a predicate tt is hard is to 
show that any efficient algorithm A that on input y = fn{x) guesses 7r(a:) with 
probability bounded away from 1/2 can be used to build another algorithm A! 
that on input y computes x with non-negligible probability. 
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Simultaneously Hard Bits. A collection of k predicates tti, . . . ,TTk is called 
simultaneously hard-core for /„ if, given y = fn{x), the whole collection of bits 
7Ti(a;), . . . ,7Tk(x) looks “random”. A way to formalize this (following d) is to 
say that it is not possible to guess the value of the predicate even after seeing 
fn (x) and the value of the previous j — 1 predicates over x. Formally, for every 
j = 1, . . . , k, for every probabilistic polynomial time Turing Machine A we have 
that: 



Pr[x ^ {0, l}'^;A(fn,fn(x),7Ti(x), . . .,7rj-i(x)) = TTj{x)] - - 



= negl(n) 



Here too, a proof method for simultaneously hard-core bits is to show that an 
efficient algorithm A contradicting the above equation can be used to build 
another efficient algorithm A which inverts /„ with non-negligible probability. 



3 Bit Security of Paillier’s Scheme 



In this section we present our candidate trapdoor function which is based on 
work by Paillier cni- Readers are referred to m for details and proofs which 
are not given here. 

Preliminaries. Let N = pq he an RSA modulus, i.e. product of two large 
primes of roughly the same size. Consider the multiplicative group Z^ 2 - 

Let g G Z ^2 be an element whose order is a non zero multiple of N. Let 
us denote with B the set of such elements. It can be shown that g induces a 
bijection 

£g ■ Zp; X Z*pp — >■ Z ’^2 

£g{x,y) = g^y^ mod 

Thus, given g, for an element w G there exists an unique pair (c, z) G 
Zpf X Z’^ such that w = g‘^z^ mod We say that c is the class of w relative 
to g. We may also denote this with Classg{w). 

We define the Computational Composite Residuosity Class Problem as the 
problem of computing c given w and assume that it is hard to solve. 

Definition 1. We say that computing the function Class g{-) is hard if, for every 
probabilistic polynomial time algorithm A, there exists a negligible function 
negl() such that 



Pr 



p,q ^ 'PTZIA4£S{n/2)] N = pq-, 
g ^ Z*jg 2 s.t. ord{g) > N-, 
c G- Zpp-, z G- Z^-, w = g'^z^ mod A^^; 
, A{N,g,w) = c 



negl(n) 



It can be shown that if the factorization of N is known then one could solve 
this problem: indeed let A = lcm(p — l,q — 1) then 

L{w^ mod N^) 

° L(g> mod N^) " 



Classg{w) 



( 1 ) 
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where L is defined as the integei 0 L(w) = (u — l)/N. 

An interesting property of the class function is that it is homomorphic: for 
x,y€ Z *^2 

ClasSg{xy mod N'^) = ClasSg{x) + ClasSg{y) mod N 

It is also easy to see that Classg(-) induces an equivalence relationship (where 
elements are equivalent if they have the same class) and thus for each c we have 
N elements in with class equal to c. 

3.1 The Least Significant Bit of Class Is Hard 

As we said in the introduction, Goldreich and Levin pj proved that any one-way 
function has a hard-core bit. Clearly their result applies to Paillier’s scheme as 
well. Here, however, we present a direct and more efficient construction of a 
hard-core bit. 

Consider the function Classg{-) defined as in the previous section. We show 
that, given w = g‘^y^ mod for some c G Zn and y G Z^, computing the 
predicate Isb(c) is equivalent to computing Classg(w), i.e. lsb{c) is hard for 
Classg. We start with the following Lemma. 

Lemma 1. Let N be a random n-bit RSA modulus, y G Z^, c an even element 
of Zm and g an element in B. Then, denoting z = 2~^ mod N, 

= mod 



for some y' G Zfg 

Proof. Since z = 2~^ mod N, there exist an integer k such that 2z = 1 + kN. 
Now 

{g^y^Y = g^^^y^^ mod = g^ {g'^yY^ mod 

Observe that, being the group Zj^2 isomorphic to Z^ x Zn (for g G B) this 
is enough to conclude the proof. □ 

Theorem 1. Let N be a random n-bit RSA modulus, and let the functions £g{-, •) 
and Classg(-) be defined as above. If the function Classg(-) is hard (see Defini- 
tion w, then the predicate lsb{-) is hard for it. 

Proof. The proof goes by reductio ad absurdum: we suppose the given predicate 
not to be hard, and then we prove that if some oracle O for lsb{-) exists, then 
this oracle can be used to construct an algorithm that computes the assumed 
intractable function, in probabilistic polynomial time. In other words, given w G 
Zfg2 such that w = £g{c,y), and an oracle 0{g,w) = lsb{c), we show how to 
compute, in probabilistic polynomial time, the whole value c = Class g{w). 

For the sake of clarity we divide the proof in two cases, depending on what 
kind of oracle is given to us. In the first case we suppose to have access to a 



^ It is easy to see that both and are = 1 mod N. 
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perfect oracle, that is an oracle for which Prjju[0{g,w) = lsb{c)] = 1. Then we 
will show how to generalize the proof for the more general case in which the 
oracle is not perfect, but has some non negligible advantage in predicting the 
required bit. In this last case we will suppose Prm[0{g,w) = lsb{c)] > 5 + e(n) 
where e(n) > for some polynomial p(-). For convenience we will denote e(n) 
by simply e in the following analysis. 

The Perfect Case. The algorithm computes c, bit by bit starting from lsb{c). 
Denote c= Cn ■ ■ ■ C 2 C 1 the bit expansion of c. It starts by querying 0{g, w) which 
by assumption will return ci = lsb(c). Once we know ci we can “zero it out” by 
using the homorphic properties of the function Class. This is done by computing 
w' = w ■ g~‘^^. Finally we use LemmaQto perform a “bit shift” and position C 2 
in the Isb position. We then iterate the above procedure to compute all of c. A 
detailed description of the algorithm follows(where () denotes the empty string 
and a 1/3 is the concatenation of the bit strings a and /3): 

ComputeClass{0, w, g, N) 

1. z = 2~^ mod N 

2 . c=() 

3. for * = 0 to n = \N\ 

4. X = 0{g, w) 

5. c = c\x 

6. if (x==l) then 

7. w = w ■ g~^ mod iV^ 

8 . w = mod /V^ 

9. return c 



(bit zeroing) 
(bit shifting) 



The Imperfect Oracle. In this case the above algorithm does not work, 
because we are not guaranteed that x is the correct bit during any of the itera- 
tions. We need to use randomization to make use of the statistical advantage of 
the oracle in guessing the bit. This is done by choosing randomly r G/j Zjv and 
s Gr ■Z’^, considering w = w-g^ -s^ and querying 0{g,w) on several randomized 
fo’s. 

Notice that if c-l-r < N the oracle returns as output ci -|-ri mod 2, and since 
we know ri we can compute ci. A majority vote on the result of all the queries 
will be the correct Ci with very high probability. 

In order to ensure that c + r < N, we somewhat “reduce” the size of c. We 
guess the top 7 = 1 — loge bits of c, and zero them accordingly, i.e. 



for all 2 '*' choices of d (note that is is a polynomial, in n, number of choices). 

Of course if we guessed incorrectly the actual top bits of w'^ will not be 
zeroed, however for one of our guesses they will be, and this guess will yield the 
correct answer. 

Observe that, since we zeroed the leading 7 bits of c, the sum r -I- c can wrap 
around N only if the 7 most significant bits of r are all 1. Thus the probability 
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of r + c > -/V is smaller that 2“'>' = e/2. We can add this probability to the error 
probability of the oracle. Consequently the oracle is now correct with probability 
i + |. This simply implies that we need to increase the number of randomized 
queries accordingly. 

Once Cl is known, we zero it and we perform a shift to the right as before. 
We then repeat the process for the remaining bits. Since the correct d is still 
unknown, we obtain a (polynomially sized) set of candidate values for c. Notice 
that we cannot check, given w, which one of the c’s is the correct one. However 
this still implies an algorithm to output c correctly with probability 1/poly^ 
which contradicts Definition ^ □ 



3.2 Simultaneous Security of Many Bits 

It is not hard to show that Classg{-) hides O(logn) bits simultaneously (this can 
be shown using standard techniques). In this section we show that by slightly 
strenghtening the computational assumption about computing residuosity class 
then we can increase the number of simultaneously secure bits, up to 0{n). 

What we require is that ClasSg{-) is hard to compute even when c is chosen 
at random from [O..H] where H is a bound smaller than N. More formally: 

Definition 2. We say that computing the function Class g{-) is H-hard if, for 
every probabilistic polynomial time algorithm A, there exists a negligible func- 
tion negl() such that 



Pr 



p,q V'RXM£S{n/2)-, N = pq; 
g ^ Z*jg2 s.t. ord{g) > TV; 
c^[0..B]-, z Z^] w = g‘^z^ mod N^; 
A{N,g,w) = c 



negl(n) 



Clearly in order for the ClasSg to be H-hard, it is necessary that the bound 
B be sufficiently large. If we had only a polynomial (in n) number of guesses, 
then the definition would be clearly false. Thus when we assume that Class g is 
H-hard we implicitly assume that b = logi? = w(logn). 

Theorem 2. Let N be a random n-bit RSA modulus; B = 2^. If the function 
ClasSg{-) is B-hard (see Definition\^ then it has n — b simultaneously hard-core 
bits. 



3.3 Proof of Theorem El 

In order to prove Theorem El we first need to show that the bits in positions 
I, 2, . . . , n — 6 are individually secure. Then we prove simultaneous security. 

Individual Security. Let i be an integer 1 < i < n — b and assume that we 
are given an oracle Oi which on input N,g and u Gr Zf ^2 computes correctly 
the I*^-bit of Class g(u) with a probability (over u) of 1/2-1- e(n), where again 
e(n) > l/poly{n). 
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In order to show that Class g{-) is not B-hard, we will show how to build an 
algorithm A which uses Oi and given w G with ClasSg{w) < B, computes 
c = Classg{w). Let 7 = 1 — loge = O(logn). 

We split the proof in two parts: the first case has l<i<n — b — The 
second one deals with n — b — "f<i<n — b. 

Ifl<z<n — 6 — 7 the inversion algorithm works as follows. We are given 
w G where w = mod and we know that c = Class g{w) < B. We 
compute c bit by bit; let Cj denote the i-th bit of c. To compute ci we square w, i 
times computing Wi = mod . This will place ci in the *-th position (with 
all zeroes to its right). Since the oracle may be correct only slightly more than 
half of the times, we need to randomize the query. Thus we choose r G_r 
and s G_r Z*j^ and finally query the oracle on w = Wig^s^ mod N'^. Notice the 
following: 

— Given the assumptions on B and i we know that Wi = vA = g^ “2;^ ^ and 
2®c is not taken modiV since it will not “wrap around” . 

— Classg{w) = 2*c+ r mod N. But since 2®c has at least 7 leading zeroes the 
probability (over r) that 2®c + r wraps around is < e/2. 

— Since ci has all zeroes to its right, there are no carrys in the i-th position 
of the sum. Thus by subtracting rt to the oracle’s answer we get c\ unless 
2*c + r wraps around or the oracle provides a wrong answer. 

In conclusion we get the correct Ci with probability 1/2 + e/2, thus by repeating 
several (polynomially many) times the process and taking majority we get the 
correct ci with very high probability. 

Once we get Ci, we “zero” it in the squared Wi by setting Wi ->r- Wig~'^^^ mod 
N'^. Then we perform a “shift to the right” using LemmaQ setting Wi ^ wf mod 
N'^ where 2: = 2“^ mod N. At this point we have C2 in the oracle position and we 
can repeat the randomized process to discover it. We iterate the above process 
to discover all the bits of c|j. 

Since each bit is determined with very high probability, the value c = C{, . . . ci 
will be correct with non-negligible probability. 

lin — b — "f<i<n — b the above procedure may fail since now 2®c does not 
have 7 leading zeroes anymore. We fix this problem by guessing the 7 leading 
bits of c (i.e. . . . ,Cb). This is only a polynomial number of guesses. 

For each guess, we “zero” those bits (let a be the 7-bit integer corresponding 
to each guess and set w ^ wg~'^ mod N^). Now we are back in the situation 
we described above and we can run the inversion algorithm. This will give us a 
polynomial number of guesses for c and we output one of them randomly chosen 
which will be the correct one with non-negligible probability. Notice that we are 
not able to verify if the solution is the correct one, but in any case the algorithm 
violates our security assumption (see Definition |2|) 

® We note that Lemma Q is necessary to perform “shifts to the right” only for the 
bits in position i = 1 , ... ,b- For the other ones we can shift to the right by simply 
“undoing” the previous squaring operations. 
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Simultaneous Security. Notice that in the above inversion algorithm, every 
time we query Oi with the value w we know all the bits in position 1, ... ,i — 1 
of ClasSg{w). Indeed these are the first i — 1 bits of the randomizer r. Thus we 
can substitute the above oracle with the weaker one Oi which expects w and the 
bits of ClasSg{w) in position 1 , . . . , i — 1 . □ 



3.4 Security Analysis 

We note here that the class problem can be considered a weaker version of a 
composite discrete log problem. Let d = gcd(p — 1 , g — 1 ) and let Cm denote the 
cyclic group of m elements, then for any t dividing A we have 

Z %2 — Cd X C\/t X C ]\[ t . 

Let g2,9i,g G -^^2 be the preimages, under such an isomorphism, of generators 
of Cd,C\jt and Cni respectively. Thus we can represent any element of 
uniquely as g^^gl^g^, where 62 G Zd, e\ G Z\ii and e G Zyif For a given 
5 ; <71)52 G .Z’^2 the composite discrete logarithm problem we consider is to find 
these 6,61,62 for any given w G For a given (/, the class problem is to find 
just 6 mod N for any given w G Z*jg^ • 

Obviously if one can solve the composite discrete logarithm problem, one can 
solve the class problem; in particular 



/ . , \ N 

zc ^ gl^gl^g^ ^ ^ 5" [92^^^ 9 ^) ^ 9 ^ 9 ^ mod 

where ^2 = N~^ mod d, and fci = mod X/t, where we note we can make 
sure X G { 0 ... A} by a suitable choice of I, and we can force y G since 
(y + kN)^ = mod A^. 

However there is a very important distinction between the class problem and 
the discrete log problem. In the composite discrete logarithm problem, if we are 
given g, gi, ^2) e, 61, 62 and w we can verify (in polynomial time) that we do 
indeed have the discrete logarithm of x. A fascinating and open question in the 
class problem, is to determine the complexity of an algorithm that verifies the 
class is correct given only g, e mod A and w. Equation ^ shows that this is no 
harder than factoring, but nothing more is presently known. 

Assuming that the function Class g is hard to compute even in the case that 
c < B may seem a very strong requirement. It is in some way non-standard. 

In order to partially justify it, we notice that not even a trivial exhaustive 
search algorithm (running in time 0 {B)) seems to work, since even if one is 
given a candidate c there is no way to verify that it is correct. Verification is 
equivalent to determining if one has an A’th residue modulo A^, and this seems 
a hard problem. 

Of course if one did have a verification algorithm that ran in time M then the 
trivial exhaustive search method would take time 0 {MB) and there may well 
be a baby-step, giant-step extension of the method that took time 0 {M'/B). 
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Without an efficient verification algorithm it seems hard to exploit the fact that 
c < B. 

Of course because this is a new assumption we are not able to make any 
stronger claim on its security. Further research in this direction will either vali- 
date the security assumption or lead us to learn and discover new things about 
the residuosity class problem. Though we note that our main theorem still holds 
(because we can choose B to be large enough to prevent 0{'J~B) attacks) even 
if there were an efficient verification algorithm. 



4 A General Result 

In this section we briefly show how to generalize the results from the previous 
section to any family of trapdoor functions with some well defined properties. 
We show two theorems: the first is a direct generalization of Theorem El the 
second theorem holds for the weaker case in which we do not know the order of 
the group on which the trapdoor function operates. In this case we are able to 
extract less hard-core bits. 

Theorem 3. Let M be an m-bit odd integer, and G a group with respect to the 
operation of multiplication. Let / : Zm G be a one-way, trapdoor isomorphic 
function (i.e. such that f{a -I- 5 mod M) = f{a) ■ f{b) S G). Then, under the 
assumption that f remains hard to invert when its input belongs to the closed 
interval [0 . . . i?], with B = 2^ , it follows that f has m — b simultaneously hard 
bits. 

It is not hard to see that the techniques of the proof of Theorem El can be 
extended to the above case. 

The above theorem assumes that M is exactly known. Let us now consider 
the case in which M is not known, but we have a very close upper bound on 
it. I.e. we know M > M such that = negl(m). Moreover we assume that 

/ is computable on any integer input (but taken modM), i.e. we assume that 
there is an efficient algorithm A that takes as input any integer x and returns 
as output A{x) = f{x mod M). 

Theorem 4. Under the assumption that f remains hard to invert when its in- 
put belongs to the closed interval [0 . . . i3], with B = 2^ < y/M , f has m — 2b 
simultaneously hard bits. 

Proof. The proof follows the same outline of the proof of Theorem El except that 
in this case we are not able to perform “shifts to the right” as outlined in Lemma 
n since we do not know M exactly. Thus the proof succeeds only for the bits in 
location b -\- 1, . . . ,m — b Notice that this implies b < m/2, i.e. B < y/~M. 

Again, we first show that each bit is individually secure. We then extend this to 
prove simultaneous hardness. 

Individual Security. Let i be an integer b < i < n — b and assume that 
we are given an oracle Oi which on input M and u Gr G computes correctly 
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with probability l/2 + e(m) where e(m) > l/poly{m). As in the proof 
of theorem 121 prove the statement by providing an algorithm A which uses Oi 
and given w € G with f~^(w) < B, computes c = 

The inversion algorithm works almost as the one proposed in the proof of theorem 
121 The main difference is that, this time we cannot use lemma Q to perform 
shifts to the right. However, in order to let the proof go through, we adopt 
the following trick: once Ci is known we “zero” it in the original w by setting 
w -(r- w/(— mod M). We then repeat the process with the other bits. The 
only differences with the above process when computing Cj are that: 

— we need to square w only i — j + I times (actually by saving the result of 
the intermediate squarings before, this is not necessary). 

— to zero Cj once we found it we need to set w <— wf{—2^~^Cj mod M) 

Since each bit is determined with very high probability, the value c = Ch ■ ■ - Ci 
will be correct with non-negligible probability. 

The simultaneous security of the bits in position 6, 6+l,...,n — 6 easily follows, 
as described in the proof of theorem El Details will appear in the final version of 
this paper. 

5 Applications to Secure Encryption 

In this section we show how to construct a secure encryption scheme based on 
our results. 

For concreteness let us focus on fixed parameters, based on today’s computing 
powers. We can assume that n = 1024 is the size of the RSA modulus N and 
m = 128 (the size of a block cipher key) to be the size of the message M that 
has to be securely exchanged. 

Our solution. Using Paillier’s Classg{-) function with our proof methods, it is 
possible to securely hide the message M with a single invocation of the function. 
In order to encrypt 128 bits we need to set n — b> 128, which can be obtained for 
the maximum possible choice of 6 = 896 (i.e. the weakest possible assumption). 
In other words we need to assume that Class g is hard to invert when c < 

To encrypt M one sets c = ri|M where ri is a random string, chooses 
y and sends w = g‘^y^ ■ This results in two modular exponentiation for 

the encryption and one exponentiation to decrypt (computations are done mod 
N'^). The ciphertext size is 2n. 

RSA. In the case of plain RSA we can assume also that the RSA function hides 
only one bit per encryption (see jSl)- In this scenario to securely encrypt (and 
also decrypt) the message we need 128 exponentiations mod N. The size of 
the ciphertext is mn =128 Kbit. Encryption speed can be much improved by 
considering RSA with small public exponent. In any case our scheme is better 
for decryption speed and message blow-up. 
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Blum-Goldwasser. Blum and Goldwasser in 0 show how to encrypt with the 
RSA/Rabin function and pay the 0(m/ log n) penalty only in encryption. The 
idea is to take a random seed r and apply the RSA/Rabin function m times to 
it and each time output the hard bit. Then one sends the final result r® and 
the masked ciphertext M (B B where B is the string of hard bits. It is sufficient 
to compute r from r® to decrypt and this takes a single exponentiation. The 
size of the ciphertext is n + m. 

Using the Rabin function this costs only 128 multiplications to encrypt and 
a single exponentiation to decrypt. We clearly lose compared to this scheme. 

Remark: It is worth to notice that even if the proposed solution is less efficient, 
in practice, than the Blum-Goldwasser one, it remains asymptotically better. As 
a matter of fact, we need only 0(m/k) (where k = w(logn) is the number of 
simultaneously hard bits produced) invocations of the trapdoor function, while 
all previously proposed schemes require many more invocations (in general, the 
number of invocations, has order 0(m/ log n)). Basically for longer messages we 
may “catch up” with the other schemes. 

The observed slow down, solely depends on the fact that the function used is 
less efficient than RSA or Rabin. It would be nice to come up with more efficient 
trapdoor functions that also hides many bits. 



6 Conclusions 

In this paper we presented the bit security analysis of the encryption scheme 
proposed by Paillier at Eurocrypt ’99 m- We prove that the scheme hides the 
least significant bit of the A^-residuosity class. Also by slightly strenghtening the 
computational assumption about residuosity classes we can show that Paillier’s 
encryption scheme hides up to 0(n) bits. 

An interesting theoretical implication of our results is that we presented the 
first candidate trapdoor functions that hide many (up to 0(n)) bits. No such 
object was known previously in the literature. 

There are several problems left open by this research. Are there trapdoor 
functions that hide w(log n) bits and are comparable in efficiency to RSA/Rabin? 
In the case of RSA/Rabin can we come up with a “restricted input assumption” 
that will allow us to prove that they also hide w(logn) bits? Regarding our new 
assumptions: is it possible to devise an algorithm to compute Classg(-) < B 
that depends on B1 
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Abstract. The security of many cryptographic constructions relies on 
assumptions related to Discrete Logarithms (DL), e.g., the DifEe- Heilman, 
Square Exponent, Inverse Exponent or Representation Problem assump- 
tions. In the concrete formalizations of these assumptions one has some 
degrees of freedom offered by parameters such as computational model, 
the problem type (computational, decisional) or success probability of 
adversary. However, these parameters and their impact are often not 
properly considered or are simply overlooked in the existing literature. 

In this paper we identify parameters relevant to cryptographic applica- 
tions and describe a formal framework for defining DL-related assump- 
tions. This enables us to precisely and systematically classify these as- 
sumptions. 

In particular, we identify a parameter, termed granularity, which de- 
scribes the underlying probability space in an assumption. Varying gran- 
ularity we discover the following surprising result: We prove that two DL- 
related assumptions can be reduced to each other for medium granularity 
but we also show that they are provably not reducible with generic algo- 
rithms for high granularity. Further we show that reductions for medium 
granularity can achieve much better concrete security than equivalent 
high-granularity reductions. 

Keywords: Complexity Theory, Cryptographic Assumptions, Generic 
Algorithms, Discrete Logarithms, Diffie-Hellman, Square Exponent, In- 
verse Exponent. 



1 Introduction 

Most modern cryptographic algorithms rely on assumptions on the computa- 
tional difficulty of some particular number-theoretic problem. One well-known 
class of assumptions is related to the difficulty of computing discrete loga- 
rithms in cyclic groups fp. In this class a number of variants exists. The most 
prominent ones besides Discrete Logarithm (DL) itself are the computational 
and decisional Diffie-Hellman (DH) assumptions |2l El B] and their generaliza- 
tion pi 0. Less known assumptions are Matching Diffie-Hellman HlEj, Square 
Exponenfl3(SE) and the Inverse Exponent (IE) |I2|, an assumption also 

^ This problem is called Squaring Diffie-Hellman in jH] 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 244- 1^^ 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 
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implicitly required for the security of [HII3. Several papers have studied rela- 
tions among these assumptions, e.g., iniiTnnniiiiEi. 

In the concrete formalizations of these assumptions one has various degrees 
of freedom offered by parameters such as computational model, problem type 
(computational, decisional or matching) or success probability of adversary. How- 
ever, such aspects are often not precisely considered in the literature and related 
consequences are simply overlooked. In this paper, we address these aspects 
by identifying the parameters relevant to cryptographic assumptions. Based on 
this, we present an understandable formal framework and a notation for defining 
DL-related assumptions. This enables us to precisely and systematically classify 
these assumptions. 

Among the specified parameters, we focus on a parameter we call granularity 
of the probability space which underlies an assumption. Granularity defines what 
part of the underlying algebraic structure (i.e., algebraic group and generator) is 
part of the probability space and what is fixed in advance: For high granularity 
an assumption has to hold for all groups and generators; for medium granular- 
ity the choice of the generator is included in the probability space and for low 
granularity the probability is taken over both the choice of the group and the 
generator. Assumptions with lower granularity are weaker than those with higher 
granularity. Yet not all cryptographic settings can rely on the weaker variants: 
Only when the choice of the system parameters is guaranteed to be random one 
can rely on a low-granularity assumption. Consider an anonymous payment sys- 
tem where the bank chooses the system parameters. To base the security of such 
a system a-priori on a low-granularity assumption would not be appropriate. A 
cheating bank might try to choose a weak group with trapdoors (easy problem 
instances) |^| to violate the anonymity of the customer. An average-case low- 
granular assumption would not rule out that infinitely many weak groups exist 
even though the number of easy problem instances is asymptotically negligible. 
However, if we choose the system parameters of the payment system through a 
random yet verifiable process we can resort to a weaker assumption with lower 
granularity. Note that to our knowledge no paper on anonymous payment sys- 
tems does address this issue properly. Granularity was also overlooked in differ- 
ent contexts, e.g., P] ignores that low-granular assumptions are not known to 
be random self-reducible which leads to a wrong conclusion. 

In this paper we show that varying granularity can lead to surprising results. 
We extend the results of jOj to the problem class IE, i.e., we prove statements 
on relations between IE, DH and SE for both computational and decisional 
variants in the setting of |0| which corresponds to the high-granular case. We then 
consider medium granularity (with other parameters unchanged) and show the 
impact: We prove that the decisional IE and SE assumptions are equivalent for 
medium granularity whereas this is provably not possible for their high-granular 
variants, at least not in the generic model US). We also show that reductions 
between computational IE, SE and DH can offer much better concrete security 
for medium granularity than their high-granular analogues. 
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2 Terminology 

2.1 Algebraic Structures 

The following terms are related to the algebraic structures underlying an as- 
sumption. 

Group G: All considered assumptions are based on cyclic finite groups. For 
brevity, however, we will omit the “cyclic finite” in the sequel and refer to them 
simply as “groups” . The order of a group is associated with a security param- 
eter k which classifies the group according to the difficulty of certain problems 
(e.g., DL). 

Group family Q: Aset of groups with the “same” structure/nature. An example 
is the family of the groups used in DSS I2n|,i.e., unique subgroups of Z* of order 
q with p and q prime, |g| ~ 2k and p = rq + 1 for an integer r sufficiently 
large to make DL hard to compute in security parameter k. Other examples are 
non-singular elliptic curves or composite groups Z* with n a product of two safe 
primes. 

Generator g: In the DL settings, we also need a generator g which generates 
the group G, i.e., Vy £ G 3a; £ 'L\c\ '■ y = g^ . 

Structure instance SIi The structure underlying the particular problem. In 
our case this means a group G together with a non-empty tuple of generators 
gi. As a convention we abbreviate g\ to g if there is only a single generator 
associated with a given structure instance. 



2.2 Problem Families 

The following two definitions characterize a particular problem underlying an 
assumption. 

Problem family V'. A family of abstract and supposedly difficult relations. Ex- 
amples are Discrete Logarithm (DL), Difhe-Hellman (DH), or the Representation 
Problem (RP). Note that the problem family ignores underlying algebraic groups 
and how parameters are chosen. Further, note that in the definition of problem 
families we don’t distinguish between decisional or computational variants of a 
problem. 

Problem instance PI-. A list of concrete parameters fully describing a par- 
ticular instance of a problem family, i.e., a structure instance SI and a tuple 
{priv,publ, sol) where priv is the tuple of secret values used to instantiate that 
problem, publ is the tuple of information publicly known on that problem and 
sol is the solution of that problem instance. This presentation achieves a certain 
uniformity of description and allows a generic definition of problem types. For 
convenience, we define , PI^ , pjpubi^ pjpnv pjsoi projection 

of a problem instance PI to its structure instance, problem family and public, 
private and solution part, respectively. When not explicitly stated, we can as- 
sume that priv consists always of elements from Z|< 3 | and publ and sol consists 
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of elements from G. Furthermore, the structure instance SI is assumed to be 
publicly known. 

If we take the DH problem for integers modulo a prime p as an example, PI jyn is 
defined by the tuple with PIdh^ - DH, 

respectively. 



3 Parameters of DL-Based Assumptions 

In formulating intractability assumptions for problems related to DL we identi- 
fied the following orthogonal parameters which suffice to describe assumptions 
relevant to cryptographic applications 0 

Note that the labels of the following sublists (e.g., “u” and “n” for the first 
parameter) are used later in Section 0to identify values corresponding to a given 
parameter (e.g., “Computational capability of adversary” for above example). 

1. Computational capability of adversary: Potential algorithms solving a 
problem have to be computationally limited for number-theoretic assump- 
tions to be meaningful (otherwise we could never assume their nonexistence). 
Here, we only consider algorithms (called adversary in the following) with 
running times bounded by a polynomial. The adversary can be of 

u (Uniform complexity) : There is a single probabilistic Turing machine (TM) 
A which for any given problem instance from the proper domain returns 
a (not necessarily correct) answer in expected polynomial time in the 
security parameter k. 

n (Non-uniform complexity): There is an (infinite) family of TMs {Ai} with 
description size and running time of Ai bounded by a polynomial in the 
security parameter k. 

To make the definition of the probability spaces more explicit we model 
probabilistic TMs always as deterministic machines with the random coins 
given as explicit input C chosen from the uniform distribution U. 

Finally, a note on notation: In the case a machine A has access to some 
oracles Oi, . . . , we denote that as A^^' " ’®". 

2. “Algebraic knowledge”: A second parameter describing the adversary’s 
computational capabilities relates to the adversary’s knowledge on the group 
family. It can be one of the following: 

(T (Generic): This means that the adversary doesn’t know anything about 
the structure (representation) of the underlying algebraic group. More 
precisely this means that all group elements are represented using a 
random bijective encoding function (t(-) '■'^\g\ G and group operations 
can only be performed via the addition and inversion oracles a{x + y) - 4 — 
u+{a{x),u{y)) and cf{—x) -g- <J-{x) respectively, which the adversary 
receives as a black box EE1E2JE!. 

^ For this paper we slightly simplified the classification. Further parameters and values 
and more details can be found in the full paper EH 
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If we use cr in the following we always mean the (not further specified) 
random encoding used for generic algorithms with a group G and gen- 
erator g implicitly implied in the context. In particular, by A'^ we refer 
to a generic algorithm. 

(marked by absence of cr) (Specific): In this case the adversary can also 
exploit special properties (e.g., the encoding) of the underlying group. 

3. Success probability: The adversary’s success probability in solving prob- 
lem instances (for a given security parameter k and probability distribution 
T>) can either be 

1 (Perfect): The algorithm A must solve all problem instances from I). 

1 — 1 /poly (fe) (Strong): The algorithm A must be successful with over- 
whelming probability, i.e., at most a negligible (in k) amount of instances 
in T> can remain unsolved. 

e (Invariant): The algorithm A must answer at least a constant fraction e 
of the queries from T> successfully. 

l/poly(fc) (Weak): The algorithm A must be successful with at least a non- 
negligible amount of queries from T>. 

An assumption requiring the inexistence of perfect adversaries corresponds 
to worst-case complexity, i.e., if the assumption holds then there are at least 
a few hard instances. However, what is a-priori required in most cases in 
cryptography is an assumption requiring even the inexistence of weak adver- 
saries, i.e., if the assumption holds then most instances are hard. 

4. “Granularity of probability space”: Depending on what part of the 
structure instance is a-priori fixed (i.e., the assumption has to hold for all 
such parameters) or not (i.e., the parameters are part of the probability 
space underlying an assumption) we distinguish among following situations: 
1 (Low-granular): The group family (e.g., prime order subgroups of Zp is 

fixed but not the specific structure instance (e.g., parameters p, q and 
generators gi for the example group family given above), 
m (Medium-granular): The group (e.g., p and q) but not the generators gi 
are fixed. 

h (High-granular): The group as well as the generators gi are fixed. 

5. Problem family: Following problem families are useful (and often used) 
for cryptographic applications. As mentioned in Section 12.21 we describe the 
problem family (or more precisely their problem instances) by an (abstract) 
structure instance SI (G, gi,g 2 , ■ ■ ■) and an (explicit) tuple {priv, publ, sol): 
DL (Discrete Logarithm): PIdl ■= {SI , {{x) , {g^) , {x))) . 

DH (Difhe-Hellman): PI dh ■= {SI ,{{x,y),{g^ ,gy),{g^y))). 

GDH (Generalized Diffie-Hellman): PIgdh '■= {SI ,{{xi\l<i<n f\n>2), 
(pO...-. |V/C {!,... ,n}), ( 5 nr=i-p)). 

SE (Square-Exponent): PIse ■= {SI, ((cr), {g^), {g^"")))- 
IE (Inverse-Exponent): PIie ■= {SI, {{x), {g^), {g^ ^))). 

Note that priv{x) has to be an element of Zp,| here, contrary to the 
other problem families mentioned where priv contains elements of Z|c|. 
RP (Representation Problem): PIrp := {SI, {{xi \1 <i < n A n>2), 

(nr=iffD, (^. ii<*<n))). 
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6. Problem type: Each problem can be formulated in three variants. 

C (Computational): For a given problem instance PI the algorithm A suc- 
ceeds if and only if it can solve PI, i.e., A{PI^'^^\ ■■ ■) = PI’^°^ ■ 

D (Decisional): For a given problem instance PI, a random problem in- 
stance Pin and a random bit b the algorithm A succeeds if and only 
if it can decide whether a given solution matches the given problem 
instance, i.e., A{PP'^'’\b * PP°^ + b * PIn°^), ■■■) = b. 

M (Matching): For two given problem instances PIq and PIi, and a ran- 
dom bit b the algorithm A succeeds if and only if it can correctly 
associate the solutions to their corresponding problem instances, i.e., 
A{PIo^'^'’\PIiP'^^\Ph"°\ PIi°\ ...) = b. 

7. Group family: We distinguish between group families with the following 
generic properties. The factorization of the group order contains 

Iprim large prime factors (at least one) 

nsprim no small prime factor 

prim only a single and large prime factor 

4 Defining Assumptions 

Using the parameters and corresponding values defined in the previous section 
we can define intractability assumptions in a compact and precise way. The used 
notation is composed out of the labels corresponding to the parameter values of 
a given assumption. This is best illustrated in following example^ The term 

1/poly (fc)-DDH°’(c:u; g:h; f:prim) 

denotes the decisional (D) Difhe-Hellman (DH) assumption in prime-order groups 
(f:prim) with weak success probability (l/poly(fc)), limited to generic algorithms 
(cr) of uniform complexity (c:u), and with high granularity (g:h). 

The formal assumption statement automatically follows from the parameter 
values implied by an assumption term. For space reasons we restrict ourselves 
again to an example as explanation: To assume that above-mentioned assump- 
tion l/poly(fc)-DDH‘^(c:u; g:h; f:prim) holds informally means that there are no 
generic algorithms of uniform complexity which are asymptotically able to dis- 
tinguish a non-negligible amount of DH tuples from random ones in prime-order 
subgroups where the probability space is defined according to high granularity. 
Formally this assumption is given below. To give the reader a better feel for 
the newly introduced parameter granularity we specify also the corresponding 
assumptions with medium and low granularity. 

A few explanations to the statements: Sq, Sg and Spj are the probabilis- 
tic algorithms selecting groups, generators and problem instances, respectively; 
ExpectRunTime gives a bound on the expected run time of the algorithm and 
Prob[5 :: VS] gives the probability of statement S with the probability taken 
over a probability space defined by VS. Furthermore, remember that PI dh is 
{ SI,{{x,y),{g -,gy),{g-y))), PIdh^^^' is (s",g^) and PIdh^°^ is ( 5 “"). 

A more thorough treatment is omitted here due to space reasons and will appear 

in pi| . 
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1. Assumption l/poly(fc)-DDH'^(c:u;g:h;f:prim), i.e., with high granularity: 
Vpi,p2 > 0; G TM; 3/cq; Vfc > ko] 

VG t— S'g( “ prime-order groups”, 1^); V(/ 1— S„(G); SI t— (G,g); 
ExpectRunTime(A‘"(C, G,c/,P/i 5 h)) < _ 

(I Prob[A'^(C, G, g, * PIdh°' + b * = b :: 

{ 0 , 1 }; 

^ Spi{DH, SI); Pin Spi{PI dh^ , PIdh^^); 

]- 1/2 I -2) < 1/fcPi 

2. As above except now with medium granularity 
(l/poly(fc)-DDH'^(c:u; g:m; f:prim)): 

Vpi,p2 > 0; G TM; 3/co; Vfc > ko; 
yG -ir- S'g( “ prime-order groups”, 1^); 

ExpectRunTime(M‘^(C, G, (/, PI £)//)) < fcP^; 

(I Prob[A'^(C, G, g, PlDH^'^'‘\h * + b * = b :: 

{0,1 }; Cg^G; 

SI^{G,g); 

PIdh ^ Spi{DH, SI); Pin ^ Spi{PIdh^ , PI dh^^); 

]- 1/2 I -2) < 1/fcPi 

3. As above except now with low granularity 
(l/poly(fc)-DDH'^(c:u; g:l; f:prim)): 

Vpi,p2 > 0; G TM; 3ko; Vfc > ko; 

ExpectRunTime(M'^(C, G, (/, P/d//)) < fcP^; 

(I Prob[M‘^(C, G, g, PlDH^'^'‘\b * PIdh°' + 6 * PIn°') = b :: 

{ 0 , 1 }; Ci^U; 

G t— S'g( “ prime-order groups”, 1^); 5 t— S'g(G); 5/ t— (G,g); 

PIdh ^ Spi{DH, SI); Pin ^ Spi{PI dh^ , PIdh^^); 

]- 1/2 I -2) < 1/fcPi 

To express relations among assumptions we will use following notation: 

A B means that if assumption A holds, so does assumption B, i.e., A 
(B) is a weaker (stronger) assumption than B (A). Vice-versa, it also means 
that if there is a (polynomially-bounded) algorithm Ap breaking assumption 
B then we can build another (polynomially-bounded) algorithm with 
(oracle) access to Ab which breaks assumption A. 

A B means that A B and B A, i.e., A and B are assumptions 
of the same (polynomial) complexity. 

Furthermore, if we are referring to oracle-assumption, i.e., assumptions where 
we give adversaries access to auxiliary oracles, we indicate it by listing the ora- 
cles at the end of the list in the assumption term. For example, the assumption 
l/poly(fc)-DDH'^(c:u; g:h; f:prim; G/_DSE(c:u;g:h;f:prim)) corresponds to the first 
assumption statement given above except that now the adversary also gets ac- 
cess to an oracle breaking the assumption l-DSE(c:u; g:h; f:prim). Finally, if we 
use * for a particular parameter in an assumption term we mean the class of 
assumptions where this parameter is varied over all possible values. 
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5 The Impact of Granularity 

It would go beyond the scope (and space) of this paper to discuss all previously 
identified parameters and we will focus only on granularity. Before stating the 
actual results, let us first briefly repeat the practical relevance of granularity as 
alluded in the introduction. Assumptions with lower granularity are weaker and 
are so more desirable in principle. However, which of the granularity variants 
is appropriate in cryptographic protocols depends on how and by whom the 
parameters are chosen. A priori we have to use a high-granular assumption. 
Yet in following situations we can resort to a weaker less granular assumption: 
The security requirements of the cryptographic system guarantee that it’s in 
the best (and only) interest of the chooser of the system parameters to choose 
them properly; the system parameters are chosen by a mutually trusted third 
party; or the system parameters are chosen in a verifiable random process0 
Furthermore, care has to be taken for DL-related high and medium granular 
assumptions in Z* and its subgroups. Unless we further constrain the set of valid 
groups with (expensive) tests as outlined by m, we require, for a given security 
parameter, considerably larger groups than for the low granular counterpart of 
the assumptions. 



6 Computational DH, SE and IE 

Maurer and Wolf HOI prove the equivalence between the computational SE and 
DH assumption in their uniform and high-granular variant for both perfect and 
invariant success probabilities. 

We briefly review their results, extend their results to medium granularity 
and prove similar relations between IE and DH. 

6.1 CSE versus CDH 
Theorem 1 (1TD|). 

e-CSE(c:u; g:h; f:*) e-CDH(c:u; g:h; f:*) □ 

More concretely, they show the following: Let 0 < oi < 1, 0 < 0:2 < 1 be 
arbitrary constants and let G be a cyclic group with known order |G|. Then 

(a) given an oracle Ocdh which breaks e-CDH(c:u; g:h; f:*) in G with success 

probability at least e = a±, there exists an algorithm breaks 

e-CSE(c:u; g:h; f:*) in G with success probability at least e = a\. 

(b) given an oracle Oqse which breaks e-CSE(c:u; g:h; f:*) in G with success 

probability at least e = 02 , there exists an algorithm that breaks 

e-CDH(c:u; g:h; f:*) in G with success probability at least e = « 2 ^- 

From these reductions the theorem immediately follows. 



^ This can be done either through a joint generation using random coins M or using 
heuristics such as the one used for DSS key generation m- 
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Remark 1. Maurer and Wolf showed the reduction for invariant success prob- 
ability. However, the results easily extend also to all other variants related to 
success probability, i.e., weak, strong and perfect. o 

Above relation also holds for medium granularity as we show next. 

Theorem 2. 

l/poly(/c)-CSE(c:u; g:m; f:*) <;=^ l/poly(fc)-CDH(c:u; g:m; f:*). □ 

Proof (sketch). The proof idea of Theorem [Dean also be applied in this case. The 
only thing we have to show is that the necessary randomization in the reduction 
steps can be extended to the medium granularity variants of CDH and CSE. 
This can be done using standard techniques and is shown in the full version of 
this paper m- The rest of the proof remains then the same as the proof of 
Theorem ^ ■ 

Remark 2. Reduction proofs of a certain granularity can in general be easily 
applied to the lower granularity variant of the involved assumptions. The nec- 
essary condition is only that all involved randomizations extend to the wider 
probability space associated with the lower granularity parameter. 

Remark 3. In all the mentioned problem families the necessary random self- 
reducibility exists for medium granularity and above remark always holds, i.e., we 
can transform proofs from a high-granular variant to the corresponding medium- 
granular variant. However, it does not seem to extend to low-granular variants. 
This would require to randomize not only over the public part of the problem 
instance PI and the generator g but also over the groups G with the same 
associated security parameter k; this seems impossible to do in the general case 
and is easily overlooked and can lead to wrong conclusions, e.g., the random 
self-reducibility as stated in pj doesn’t hold as the assumptions are (implicitly) 
given in their low-granular form. o 

6.2 CDH versus CIE 

In the following we prove that similar relations as above also exist for CIE. In the 
high-granular case following theorem holds. Here as well as in following results 
related to IE we will restrict ourselves to groups of prime order. The results 
also extend to more general groups but the general case is more involvec0 and 
omitted in this version of the paper for space reasons. 

Theorem 3. 

l/poly(A:)-CDH(c:u; g:h; f:prim) <J=> l/poly(fc)-CIE(c:u; g:h; f:prim) □ 

More concretely, we show the following: Let G be a cyclic group with known 
prime order. Then 

® Due to the difference in input domains between IE and other assumptions we have 
to deal with the distribution of Z*q| over 1‘\a\- This results, e.g., in the success 
probability being reduced by a factor of if>{\G\) /\G\. 
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(a) given an oracle Ocdh which breaks *-CDH(c:u; g:h; f:prim) in G with success 

probability at least * = ai(fc), there exists an algorithm that solves 

CIE(c:u; g:h; f:prim) in G with success probability at least 

(b) given an oracle Ocie which breaks *-CIE(c:u; g:h; f:prim) in G with success 

probability at least * = a 2 {k), there exists an algorithm that solves 

CSE(c:u; g:h; f:prim) in G with success probability at least a 2 {ky ■ 

(c) following (b), there exists also an algorithm that, with success prob- 

ability at least a 2 {k)^, breaks l/poly(fc)-CDH(c:u; g:h; f:prim) in G. 

From these reductions and Remark 2] the theorem immediately follows. The 
complete proof can be found in m 

Remark 4- For strong and perfect success probabilities, i.e., ai{k) is either 1 or 
1— l/poly(fc), the resulting success probability in case (a) can always be polynomi- 
ally bounded because 0(log |G|) = 0(poly(fc)) and there always exist constants 
c and c' such that for large enough k it holds that (1 — 

However, for the weak and invariant success probability, i.e., Q;i(fc) is either e 
or l/poly(fc), the resulting error cannot be bounded polynomially. This implies 
that above reduction in (a) does not work directly in the case where the oracle 
Ocdh is only of the weak or invariant success probability flavor! The success 
probability of Ocdh has first to be improved by self-correction to strong 
success probability, a task expensive both in terms of oracle calls and group 
operations. o 

Next, we prove above equivalence also for medium granularity. Similar to 
Theorem|21we could argue that due to the existence of a randomization the result 
immediately follows also for the medium granularity case. However, we will show 
below that the reduction can be performed much more efficiently in the medium 
granular case than in the case above; thereby we improve the concrete security 
considerably. 

Theorem 4. 

l/poly(A:)-CSE(c:u; g:m; f:prim) l/poly(fc)-CIE(c:u; g:m; f:prim). □ 

Proof. We construct as follows: Assume we are given a CSE in- 
stance with respect to generator g. We set h := g^ and pass g^{= h) 

and g{= h‘) to Ocie- Assuming the oracle answered correctly we get the desired 
solution to the CSE problem: h* ^ ^ = g^^ . 

Conversely we can exploit the identity ^ = (g^)^ = g^^ = 

g^ to construct solving CIE with a single call to Ocse- ■ 

Remark 5. For each direction we need now only a single oracle call. If we take 
also into account that with a single oracle call l/poly(A:)-CSE(c:u; g:m; f:prim) 
can be reduced to l/poly(A:)-CDH(c:u; g:m; f:prim) we achieve a reduction from 
l/poly(fc)-CIE(c:u; g:m; f:prim) to l/poly(fc)-CDH(c:u; g:m; f:prim) while retain- 
ing the success probability of the oracle. 



The exponent 0(log |G|) stems from a square and multiply used in the reduction. 
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Remark 6. Above observation also implies that, contrary to the high-granular 
(Remark^l) case, this reduction directly applies to the invariant and weak success 
probability variant of the assumptions, i.e., no self-correction is required. o 

In particular the Remark 0 is of high significance. The reduction we get in the 
medium-granular case is much more efficient than the corresponding reduction in 
the high-granular case: With a single instead of log (|G|) (very expensive) oracle 
calls and 0(log(|G|)) instead of 0(log(|G|)^) group operations we achieve a 
success probability which is higher by a power of 0(log (|G|))! 

7 Decisional DH, SE and IE 

7.1 Difficulty in the Generic Model 

We state first a Lemma which plays an important role for later proofs in the 
context of generic algorithms: 

Lemma 1 (ESEI ). Let P{X\, X 2 , • • • , Xn) he a non-zero polynomial in Z^e [X] 
of total degree d > 0 (p S P; e G N). Then the probability that P{xi,X 2 , ■ ■ ■ , Xn) = 

0 is at most d/p for a random tuple (xi,X 2 , ■ ■ ■ ,Xn) Zpe- n 

Using Lemma n Wolf 0 shows that there exists no generic algorithm that 
can solve DSE (and consequently also DDH) in polynomial time if the order 
of the multiplicative group is not divisible by small primes, as summarized in 
following theorem: 

Theorem 5 ([9]). 

true l/poly(fc)-DSE‘^(c:u; g:h; Lnsprim) □ 

Remark 7. More precisely. Wolf shows that the probability that any A'^ can cor- 

rectly distinguish correct DSE inputs from incorrect ones is at most 

where p' is the smallest prime factor of |G| and T is an upper bound on the 
algorithm’s runtime. 

Remark 8. It might look surprising that l/poly(fc)-DSE°’(c:u; g:h; Lnsprim) al- 
ways holds, i.e., it’s a fact, not an assumption. Of course, the crucial aspect is 
the rather restricted adversary model (the a in the assumption statement) which 
limits adversaries to generic algorithms. However, note that this fact means that 
to break DSE one has to exploit deeper knowledge on the actual structure of the 
used algebraic groups. In particular, for appropriately chosen prime-order sub- 
groups of Z* and elliptic or hyper-elliptic curves no such exploitable knowledge 
could yet be found and all of currently known efficient and relevant algorithms in 
these groups are generic algorithms, e.g., Pohlig-Hellman m or Pollard-/o 123 
Nevertheless, care has to be applied when proving systems secure in the generic 
model |2H|- o 

In the following theorem we show that also DIE cannot be solved by generic 
algorithms if the order of the multiplicative group is not divisible by small primes. 
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Theorem 6. 

true =A l/poly(fc)-DIE'^(c:u; g:h; Lnsprim) □ 

The proof is similar to the proof of Theorem El and can be found in m 

7.2 DSE versus DDH 

Wolf j0| shows following two results on the relation of DSE and DDH: DSE can 
easily be reduced to DDH but the converse doesn’t hold; in fact, Theorem 0 
shows that a DSE oracle, even when perfect, is of no help in breaking DDH 
assumptions. 

Theorem 7 ([9J). 

l/poly(/c)-DSE(c:u; g:h; f:*) l/poly(fc)-DDH(c:u; g:h; f:*) □ 

Remark 9. Following Remark El this result easily extends also to the medium- 
granular variant. o 

Theorem 8 ([9]). 

true l/poly(fc)-DDH'^(c:u;g:h;f:nsprim;C)i_DSE(c:u;g:h;f:nsprim)) ° 

Remark 10. More precisely. Wolf shows that the probability that any 
can correctly distinguish correct DDH inputs from incorrect ones is at most 
where p' is the smallest prime factor of |G| and T is an upper bound 
on the algorithm’s runtime. o 

7.3 DIE versus DDH 

In the following we prove that similar relations also hold among DDH and DIE: 
We show a reduction from DIE to DDH and prove that a DIE oracle, even when 
perfect, is of no help in breaking DDH assumptions. 

Theorem 9. 

l/poly(A:)-DIE(c:u; g:h; f:prim) =4> l/poly(fc)-DDH(c:u; g:h; f:prim) □ 

Theorem 10. 

true => l/poly(fc)-DDH'^(c:u;g:h;f:nsprirn;C>i_DiE(c:u;g:h;f:nsprim)) ^ 

Both proofs follow similar strategies than the proofs of Theorem Q and 0 and 
can be found in |2H. One twist is that the input domains between IE and DH 
are different and the DIE-oracle cannot answer correctly to the queries not from 
its domain. However, since this limits the use of a DIE-oracle in solving DDH 
even further, this does not affect the desired result. 

7.4 DSE versus DIE 

In the next theorem we prove that an oracle breaking l-DSE(c:u; g:h; f:*) is of 
no help in breaking l/poly(/c)-DIE'’'(c:u; g:h; f:=t=). 
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Theorem 11. 

true =A l/poly(fc)-DIE'^(c:u;g:h;f:nsprirn;C)i_DSE(c:u;g:h;f:nsprim)) ^ 

Proof. Similar to the proofs of Theorem 0 and [H] we define a Lemma which 
associates the minimal generic complexity of solving DIE directly to the smallest 
prime factor of the order of the underlying group G. Theorem II II immediately 
follows from Lemma 0 and Remark HU 



Remark 11. In the classical formulation of decision problems the adversary gets, 
depending on the challenge b, either the correct element or a random element 
as input, i.e., in the case of DIE the adversary gets together with if 
b — 0 and g^^ if b — I. The formulation used in the Lemma considers a slightly 
different variant of the decisional problem type: We consider here an adversary 
which receives, in random order, both the correct and a random element and 
the adversary has to decide on the order of the elements, i.e., the adversary gets 

and {g^ , g‘^) for 6 = 0 and {g^, g^ ) for 6 = 1. 

This formulation makes the proofs easier to understand. However, note that 
both variants can be shown equivalent. o 



Lemma 2. Let G be a cyclic group and g a corresponding generator, let p' be the 
smallest prime factor ofn= |G| . Let Odse be a given oracle solving DSE tuples 
in G and let generic algorithm for groups G with maximum run 

time T and oracle access to Odse- Further let xq, x\ he random elements of 
Zfg,|, 6 {0,1} a randomly and uniformly chosen bit and C U. Then it 

always holds that 

Prob[A^{C,{G,g),g^o,g^^'\g^-^'") = b] < (^ + 4)(J^ + 3) 

2p' ^ 

Proof. For given cr(l), cr{x), {a{x~^),a{c)}, assume that the algorithm ^'^■C'dse 
computes at most Ti + 4 (images of) distinct linear combinations Pi of the 
elements 1, x, x~^, c with Pi{l, x, x~^, c) = an + Qi2X + 0^30;“^ + 0^40 such that 

cr(Pi(l, X, x~^,c)) = a{an + a^x + 0^30:“^ + Oi4c), 

where are constant coefficients. Furthermore, it is not a-priori known to 
^ct.Oese -^]4i(;;]4 of the (known) values in 10^3,0^4} is the coefficient for x~^ and 
which one corresponds to c. Assume that A'^>c>r>sE niakes T2 calls to Odse- 
^ct.Oese Yn&y be able to distinguish the coefficient by obtaining information 
from either of the following events: 

Ea- A°’"®ose finds a collision between two distinct linear equations {Pi,Pj) with 
i ^ j, i.e.. 



a{Pi{l,x,x ^,c)) = a{Pj{l,x,x ^,c)) ^ Pi{l,x,x ^ ,c) = Pj{l,x,x \ c) 
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El,: ^‘^"C’dse gg|;g leust one positive answer from Odse for a non-trivial query 
with i yf j, i.e., 



a{Pi{l,x,x \c)) 



a{{Pj{l,x,x \c)2). 



Let E be the union of the events Ea and Ei,. Now we compute an upper bound 
for the probability that either of these events occurs. 

Case Ea- Consider Pi and Pj as polynomials. There are (^’^ 2 ''^) “ 
possible distinct pairs. The probability of a collision for two linear combinations 
Pi,Pj is the probability of (randomly) finding the root of polynomial x{Pi — 
Pj) = 0 mod p® for any prime factor p of |G| with p®||G|. Due to Lemma [H this 
probability is at most 2/p® (< 2/p'), because the degree of x{Pi — Pj) is at most 
twoQ It follows that Prob[Sa] < ^ (T,+i){T,+3.) ^ 

Case El,: For i yf / it is not possible to derive a relation Pi = Pj^ except that 
Pi and Pj are both constant polynomials (yf 0), meaning that the polynomial 
x‘^{Pi — Pj^) = 0 mod p® for x yf 0. The total degree of the polynomial — 
Pj^) is at most 4 and the probability for Eb is at most 

In total we have 



Prob[P] < Prob[Pa] + Prob)^^] 



(ri + 4)(Ti + 3) 4 ^ (T + 4)(r + 3) 



with Ti + T 2 < T. The success probability of therefore is: 



Prob[^' 



<7, Or 



*(..) = b] = Prob[if] + -Prob[if] = 



ProblEI I 1 I P'-oblg] ' I (r + 4)(T + 3) 

' ^ 2 2 2 ^2 2 ?/ 



In sharp contrast to the above mentioned high granular case, we prove in 
the following theorem that these assumptions are equivalent for their medium 
granular version (other parameters remain unchanged). 

Theorem 12. 

l/poly(/c)-DSE(c:u; g:m; f:prim) l/poly(fc)-DIE(c:u; g:m; f:prim). □ 

Proof. Assume we are given a DIE tuple I die = { 9 , 9^, 9^) where is 

either or a random element of group G. Set h:=g^ then g = h* and g^ = 
for some (unknown) t G Z*g| . After reordering the components we obtain the 
tuple (h,h*,h^*). 

^ Note that Pi, Pj are also functions of x~^ ,x yf 0 and thus one can virtually think of 
the polynomial x{Pi — Pj) by multiplying both sides of the equation Pi = Pj with 
X. Furthermore, uniformly distributed random values modn are also randomly and 
uniformly distributed modp®. 
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If z = x~^ then t = x and the tuple {h, /i‘, will have the form {h, /i‘, h* ) 
which represents a DSE tuple and can be solved by the given DSE oracle. The 
probability distribution is correct, since /i is a group generator and h* is a random 
element of G. 

\i z ^ x~^ then t ^ x and is a random group element {x is a random element 
of Z*Q|) and the elements h,h*, are independent. 

Assume, we are given a DSE tuple {g,g^,g^) where g^ is either g^ or a 
random group element. Set h:=g^ then g = and g^ = for some (unknown) 
t € After reordering the components we obtain the tuple (/i, /i‘, 

If z = then we hav^ x = and z = meaning that the tuple {h, ft,*, ft“*) 
has the form (ft, ft*, ft* ) representing a DIE tuple. Its probability distribution 
is correct because ft is a group generator, ft* is a random element of G and the 
last element ft* has the correct form. 

If z then ft^* is a random group element, since t is a random element of 

Z*g|, and further the elements ft, ft* and ft*^ are independent. ■ 

8 Conclusions 

In this paper, we identify the parameters relevant to cryptographic assumptions. 
Based on this we present a framework and notation for defining assumptions re- 
lated to Discrete Logarithms. Using this framework these assumptions can be 
precisely and systematically classified. Wider adoption of such a terminology 
would ease the study and comparison of results in the literature, e.g., the danger 
of ambiguity and mistakes in lengthly stated textual assumptions and theorems 
would be minimized. Furthermore, clearly stating and considering these param- 
eters opens an avenue to generalize results regarding the relation of different 
assumptions and to get a better understanding of them. This is the focus of 
our ongoing research and is covered to a larger extent in the full version of the 
paper m- 

A parameter in defining assumptions previously ignored in the literature is 
granularity. We show (as summarized in Figure Ql) that varying this parameter 
leads to surprising results: we prove that some DL-related assumptions are equiv- 
alent in one case (medium granular) and provably not equivalent, at least not 
in a generic sense, in another case (high granular). Furthermore, we also show 
that some reductions for medium granularity are much more efficient than their 
high-granular version leading to considerably improved concrete security, in par- 
ticular as medium granularity results in weaker assumptions than high-granular 
ones. However, we note that medium- or low-granular assumption apply in cryp- 
tographic settings only when the choice of system parameters is guaranteed to 
be truly random. 

In this paper we only scratched the topic of granularity and interesting open 
questions remain to be answered: While for both CDL and CDH it can be shown 

= ft*^ which implies = ft*^ , x = tx^ and t = x~^ . 



This is because ft“ = g' 
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► Efficient reduction 

— ► Inefficient reduction 

Reduction impossible in generic model 

Fig. 1. Summary of our results 



that their high- and medium-granular assumptions are equivalent, this is not yet 
known for DDH (also briefly mentioned as an open problem in m)- Only few re- 
lations can be shown for low-granular assumption as no random self-reducibility 
is yet known. However, achieving such “full” random self-reducibility seems very 
difficult in general (if not impossible) in number-theoretic settings m contrary 
to, e.g., lattice settings used in m- 
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Abstract. Security analysis of multiparty cryptographic protocols dis- 
tinguishes between two types of adversarial settings: In the non-adaptive 
setting, the set of corrupted parties is chosen in advance, before the in- 
teraction begins. In the adaptive setting, the adversary chooses who to 
corrupt during the course of the computation. We study the relations 
between adaptive security (i.e., security in the adaptive setting) and 
non-adaptive security, according to two definitions and in several models 
of computation. While affirming some prevailing beliefs, we also obtain 
some unexpected results. Some highlights of our results are: 

— According to the dehnition of Dodis-Micali-Rogaway (which is set 
in the information-theoretic model), adaptive and non-adaptive se- 
curity are equivalent. This holds for both honest-but-curious and 
Byzantine adversaries, and for any number of parties. 

— According to the definition of Canetti, for honest-but-curious ad- 
versaries, adaptive security is equivalent to non-adaptive security 
when the number of parties is logarithmic, and is strictly stronger 
than non-adaptive security when the number of parties is super- 
logarithmic. For Byzantine adversaries, adaptive security is strictly 
stronger than non-adaptive security, for any number of parties. 



1 Introduction 

Security analysis of cryptographic protocols is a delicate task. A first and crucial 
step towards meaninful analysis is coming up with an appropriate definition of 
security of the protocol problem at hand. Formulating good definitions is non- 
trivial: They should be compehensive and stringent enough to guarantee security 
against a variety of threats and adversarial behaviors. On the other hand, they 
should be as simple, workable, and as permissive as possible, so as to facilitate 
design and analysis of secure protocols, and to avoid unnessecary requirements. 
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Indeed, in contrast with the great advances in constructing cryptographic 
protocols for a large variety of protocol problems, formalizing definitions of se- 
curity for crypographic protocol problems has been progressing more slowly. The 
first protocols appearing in the literature use only intuitive and ad-hoc notions 
of security, and rigorous security analysis was virtually non-existent. Eventu- 
ally, several general definitions of security for cryptographic protocols have ap- 
peared in the literature. Most notable are the works of Goldwasser and Levin 
iGLfiOI . Micali and Rogaway iMR.fill . Beaver iBbll . Canetti IcOOl and Dodis 
and Micali iDMOOl (that concentrate on the task of secure function evaluation 
lY82lY8blGMW87l L and Pfitzmann and Waidner IPW94I . Pfitzmann Schunter 
and Waidner PMDI, and Canetti [nOOaj (that discuss general reactive tasks). 
In particular, only recently do we have precise and detailed definitions that allow 
rigorous study of “folklore beliefs” regarding secure protocols. 

This work initiates a comparative study of notions of security, according to 
different definitions. We concentrate on secure function evaluation, and in partic- 
ular the following aspect. Adversarial behavior of a computational environment 
is usually modelled via a single algorithmic entity, the adversary, the capabili- 
ties of which represent the actual security threats. Specifically, in a network of 
communicating parties the adversary is typically allowed to control (or, corrupt) 
some of the parties. Here the following question arises: How are the corrupted 
parties chosen? One standard model assumes that the set of corrupted parties 
is fixed before the computation starts. This is the model of non-adaptive adver- 
saries. Alternatively, the adversary may be allowed to corrupt parties during the 
course of the computation, when the identity of each corrupted party may be 
based on the information gathered so far. We call such adversaries adaptive. 

Indeed, attackers in a computer network (hackers, viruses, insiders) may 
break into computers during the course of the computation, based on partial 
information that was already gathered. Thus the adaptive model seems to bet- 
ter represent realistic security threats, and so provide a better security guarantee. 
However, defining and proving security of protocols is considerably easier in the 
non-adaptive model. One quintessential example for the additional complexity of 
guaranteeing adaptive security is the case of using encryption to transform proto- 
cols that assume ideally secure channels into protocols that withstand adversaries 
who hear all the communication. In the non-adaptive model standard Chosen- 
Ciphertext-Attack secure encryption jnnNt) I (or even plain semanti- 

cally secure encryption |GMS4j . if used appropriately) is sufficient. To obtain 
adaptively secure encryption, it seems that one needs to either trust data era- 
sures , or use considerably more complex constructs jCFGNt)(ifBt)7|nN( jHj . 

Clearly, adaptive security implies non-adaptive security, under any reason- 
able definition of security. However, is adaptive security really a stronger notion 
than non-adaptive security? Some initial results (indicating clear separation in 
some settings) are provided in |GFGNi-)t)j . On the other hand, it is a folklore belief 
that in an “information theoretic setting” adaptive and non-adaptive security 
should be equivalent. Providing more complete answers to this question, in sev- 
eral models of computation, is the focus of this work. While some of our results 
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affirm common beliefs, other results are quite surprising, and may considerably 
simplify the design and analysis of protocols. 

Models of computation. We study the additional power of adaptive adversaries 
in a number of standard adversary models, and according to two definitions 
(the definition of Dodis, Micali, and Rogaway fMR.t) IIDMOU) . and that of Canetti 
pmj i. To develop the necessary terminology for presenting our results let us 
very shortly outline the structure of definitions of security of protocols. (The de- 
scription below applies to both definitions. The jMR.q linMOO) definition imposes 
some additional requirements, sketched in a later section.) 

As mentioned above, both definitions concentrate on the task of Secure Func- 
tion Evaluation. Here the parties wish to jointly evaluate a given function at a 
point whose value is the concatenation of the inputs of the parties. In a nutshell, 
protocols for secure function evaluation are protocols that “emulate” an ideal 
process where all parties privately hand their inputs to an imaginary trusted 
party who privately computes the desired results, hands them back to the par- 
ties, and vanishes. A bit more precisely, it is required that for any adversary A, 
that interacts with parties running a secure protocol tt and induces some global 
output distribution, there exists an “ideal-process” adversary S, that manages 
to obtain essentially the same global output distribution in the ideal process. The 
global output contains the adversary’s output (which may be assumed to be his 
entire view of the computation), together with the identities and outputs of the 
uncorrupted parties. (Adversary S is often called a simulator, since it typically 
operates by simulating a run of A.) The following parameters of the adversarial 
models turn out to be significant for our study. 

Adversarial activity; The adversary may be either passive (where even cor- 
rupted parties follow the prescribed protocol, and only try to gather ad- 
ditional information), or active, where corrupted parties are allowed to ar- 
bitrarily deviate from their protocol. Passive (resp., active) adversaries are 
often called honest-but-curious (resp., Byzantine). 

Number of players; We distinguish between the case of a small number of 
players, where n, the number of players, is 0(logA:), and a large number of 
players, where n is w(log/c). (Here k is the security parameter.) 
Complexity of adversaries; We consider three cases. Information-Theoretic 
(IT) security does not take into account any computational complexity con- 
siderations. That is, both adversaries A and S have unbounded resources 
regardless of each other’s resources. Universal security allows A unbounded 
resources, but requires S to be efficient (i.e., expected polynomial) in the 
complexity of A. Computational security restricts both A and S to expected 
polynomial time (in the security parameter). Note that universal security 
implies both IT security and computational security (all other parameters 
being equal). However, IT security and computational security are incompa- 
rable. See [cOOj for more discussion on the differences between these notions 
of security and their meaning. 

Quality of emulation; We consider either perfect emulation (where the out- 
put distributions of the real-life computation and of the ideal process must 
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be identically distributed), or statistical emulation (where the output distri- 
butions shuld be statistically indistinguishable), or computational emulation 
(where the output distributions shuld be computationally indistinguishable) . 

The rest of the Introduction overviews the state of affairs regarding the added 
power of adaptivity, as discovered by our investigation. We do not attempt here 
to explain “why” things are as they are. Such (inevitably subjective) explana- 
tions require more familiarity with the definitions and are postponed to the body 
of the paper. 

Our results: Canetti’s definition. This definition is stated for several models of 
computation. We concentrate by default on the seeure ehannels model, where the 
communication channels are perfectly secret and universal security is required. 
The same results hold also for the computational setting, where the adversary 
sees all communication but is restricted to polynomial time. Finally, we also 
consider a weaker variant of this definition, not considered in [cHTlj . where only 
IT security is required (and the communication channels are secure). 

The most distinctive parameter here seems to be whether the adversary is 
active or passive. If the adversary is active (i.e., Byzantine) then adaptive se- 
curity is strictly stronger than non-adaptive security, regardless of the values of 
all other parameters. We show this via a protocol for three parties, that is non- 
adaptively universally secure with perfect emulation, but adaptively ZTisecure, 
even if the adversary is computationally bounded and we are satisfied with com- 
putational emulation. This is the first such example involving only a constant 
number of players, for any constant. 

In the case of passive adversaries the situation is more involved. Out of the 
nine settings to be considered (IT, universal, or computational security, with per- 
fect, statistical, or computational emulation), we show that for one - IT security 
and perfect emulation - adaptive and non-adaptive security are equivalent, for 
any number of players. In all other eight settings we show that, roughly speak- 
ing, adaptive security is equivalent to non-adaptive security when the number 
of players is small, and is strictly stronger when the number of players is large. 
We elaborate below. 

For a large number of players, it follows from an example protocol shown 
in [CFGNbbI that for statistical or computational emulation, adaptive security is 
strictly stronger than non-adaptive security. We show separation also for perfect 
emulation, where universal or computational security is required. We complete 
the picture by showing that for a small number of players, and perfect emulation, 
adaptive and non-adaptive security are equivalent. Equivalence holds even in 
the case of statistical or computational emulation, if n is 0(logfc/loglogfc). 
(Notice that there is a small gap between this equivalence result and the known 
separating example for n G w(log/c). To close this gap, we also show that if one 
relaxes slightly the demands to the complexity of simulators and allows them to 
be expected polynomial time except with negligible probability, then this gap can 
be closed: equivalence holds for all n G O(logfc). In many cases, this definition 
of “efficient simulation” seems to be as reasonable as the standard one.) 
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Equivalence of adaptive and non-adaptive security for the case of passive ad- 
versaries and a small number of players is very good news: Many protocol prob- 
lems (for instance, those related to threshold cryptography) make most sense in 
a setting where the number of parties is fixed. In such cases, when concentrating 
on passive adversaries, adaptivity comes “for free”, which significantly simplifies 
the construction and analysis of these protocols. 

Our results: Dodis-Micali-Rogaway definition. This definition holds for the se- 
cure channels setting only. It is incomparable to the definition of |C()()| : On the 
one hand, it makes a number of additional requirements. On the other hand, 
only IT security is required. Here, to our surprise, adaptive and non-adaptive 
security turn out to be equivalent, even for active adversaries, and regardless of 
the number of players. 

Two properties of the Dodis-Micali-Rogaway definition are essential for our 
proof of equivalence to work. The first is that only IT security is required. The 
second property may be roughly sketched as follows. It is required that there 
exists a stage in the protocol execution where all the parties are “committed” 
to their contributed input values; this stage must occur strictly before the stage 
where the output values become known to the adversary. (In order to formally 
state this requirement one needs to make some additional technical restrictions, 
amounting to what is known in the jargon as “one-pass black-box simulation”. 
See more details within.) 

Organization. Section 0 presents our results relating to the definition of |c()()j . 
Section 01 presents our results relating to the definition of Dodis-Micali-Rogaway. 

2 Adaptivity vs. Non-adaptivity 
in the Definition of Canetti 

This section describes our results relative to the jcnn] definition of security. The 
main aspects of the definition that we will rely on were shortly described in the 
Introduction. A more detailed overview is deleted for lack of space and appears 
in the full version of this work jnnr)TM()T| . Section shows a separating exam- 
ple for the case of active adversary. Section |^| describes separating examples for 
passive adversary and a large number of players. Section f2.;tl proves the equiv- 
alence for passive adversaries and a small number of players, and Section 12.41 
shows the equivalence for passive adversaries in the setting of IT security and 
perfect emulation. 

2.1 Separation for Active Adversaries 

This section shows that adaptive and non-adaptive security are not equivalent 
in the case of active adversaries, for all settings considered here: information- 
theoretic, universal, and computational security, with perfect, statistical, or com- 
putational emulation. This is proved by an example of a simple protocol for se- 
cure function evaluation which is non-adaptively secure, but adaptively insecure, 
in all above settings. 
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Our protocol involves three players where have no input, 

and D's input consists of two bits Si, S2 G {0, 1}. The function /act to be com- 
puted is the function that returns no output for D, si for Ri, and S2 for i?2- The 
adversary structure B (the collection of player subsets that can be corrupted) 
contains all subsets of {D, Ri}, namely the only restriction is that R2 cannot be 
corrupted. The protocol Tract proceeds as follows. 

1. D sends si to i?i. 

2. D sends S2 to i?2- 

3. Each Ri outputs the bit that was sent to it by Z?, and terminates. D outputs 

nothing and terminates. 

Claim 1 . The protocol Tract non- adaptively, perfectly emulates /act with univer- 
sal security, against active adversary structure B. 

Proof. Consider a non-adaptive real-life adversary A that corrupts D. The ideal- 
process simulator S proceed as follows. S corrupts D in the ideal model, and 
provides A with the inputs si, S2 of D. A generates to be sent to Ri and s'2 
to be sent to i?2- 5 gives s'i,S2 to the trusted party as ZD’s input, outputs ^’s 
output, and terminates. It is easy to see that the global output generated by S 
in the ideal model is identical to the global output with the real-life A. 

The above simulator can be easily modified for the case that A breaks into 
both D and R\ (here S may hand in to the trusted party 0, S2 ^ts the input of 
D, where s'2 is the message prepared by A to be sent to Z?2). 

Finally, consider A that corrupts only R\. The simulator S proceeds as fol- 
lows. S corrupts R\ in the ideal model, hands the empty input to the trusted 
party, and obtains the output Si in the ideal model. S then hands Si to ^ as 
the message that was sent from D to R\, outputs ^’s output, and terminates. 
Again it is easy to see that the global output generated by S is identical to the 
global output with A. 

Claim 2 . The protocol TTact is adaptively insecure for evaluating the function 
fact, with either universal, IT or computational security, against active adversary 
structure B. 

Proof. We show an adaptive efficient real life adversary A, such that there is no 
(even computationally unbounded) adaptive ideal-model adversary (simulator) 
S that can emulate the global view induced by A (even if the emulation is only 
required to be computational) . Intuitively, the goal of our adversary is to ensure 
that whenever si = S2, R2 will output 0, whereas we do not care what happens 
in other cases. A starts by corrupting Ri and receiving si in the first stage of 
the protocol. If si = 0, ^ terminates. If si = I, ^ corrupts D and sends S2 = 0 
to Z?2 in the second stage of the protocol. 

To prove that this A cannot be simulated in the ideal world, note that in 
the real world, A never corrupts D when ZD’s input is si = S2 = 0, but always 
corrupts ZD when ZD’s input is si = S2 = 1- In both these cases, R2 always out- 
puts 0. Now let S be an arbitrary unbounded adaptive ideal-process simulator. 
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(Below “overwhelming probability” refers to 1 — neg for some negligible function 
neg.) If, when interacting with S in the ideal model, whenever Si = S 2 = 1, R 2 
outputs 0 with overwhelming probability, then it must be that with overwhelm- 
ing probability, whenever si = S 2 = 1, 5 corrupts D before D hands si, S 2 to the 
trusted party. However, in the ideal process, before the trusted party takes the 
inputs and computes the function, corrupting a party provides only its input, 
and no other information. Thus, in our case, before D is corrupted S cannot 
gain any information. It follows that S corrupts D before D hands Si, S 2 to the 
trusted party with the same probability for any input si,S 2 , and in particular 
when the input is si = S 2 = 0. However in the real world, A never corrupts D 
in this case, and so the global views are significantly different. 

Claim Hand Claim 0 together imply that our example separates adaptive se- 
curity from non-adaptive security for active adversaries in all settings considered. 
Thus we have: 

Theorem 3. For active adversaries, adaptive security is strictly stronger than 
non-adaptive security, under any notion of security, as long as there are at least 
three parties. 

Discussion. The essential difference between adaptive and non-adaptive secu- 
rity is well captured by the simplicity of the protocol used in our separating 
example, which at first look may seem like a very “harmless” protocol. Indeed, 
TTact is a straight-forward implementation of the function /act, which just “mim- 
ics” the ideal-world computation, replacing the trusted party passing input from 
one party to the output of another party, by directly sending the message be- 
tween the parties. For the non-adaptive setting, this intuition translates into a 
proof that any adversary A can be simulated by an adversary S in the ideal 
world. However, as we have shown, the protocol is susceptible to an attack by 
an adaptive adversary. 

In the heart of this separation is the idea that some information in the pro- 
tocol (the value of si in our example) is revealed prematurely before the parties 
have “committed” to their inputs. Thus, an adaptive adversary may take ad- 
vantage of that by choosing whether to corrupt a party (and which one) based 
on this information, and then changing the party’s input to influence the global 
output of the execution. 

On the other hand, as we will show, for a passive adversary and information 
theoretic security, non-adaptive security is equivalent to adaptive security. This 
may suggest the intuition that even for active adversaries, in the information- 
theoretic setting, adaptive and non-adaptive security may be equivalent for a 
subclass of protocols that excludes examples of the above nature; that is, for 
protocols where “no information is revealed before the parties have commit- 
ted to their inputs”. This is in fact the case for many existing protocols (cf., 
pBGW88lcnMt)8j l. and furthermore, the definition of Dodis-Micali-Rogaway re- 
quires this condition. In Section 01 we indeed formalize and prove this intuition, 
showing equivalence for the definition of Dodis-Micali-Rogaway. 
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Finally, we remark that for two parties and active adversaries, the situation is 
more involved: In the IT setting, adaptive security is equivalent to non-adaptive 
security. In the universal and computational settings, we have a separating ex- 
ample showing that adaptive security is strictly stronger, assuming perfectly 
hiding bit-commitment exists (which holds under standard complexity assump- 
tions). However, this example heavily relies on a technical requirement, called 
post-execution corruptibility (PEC), which is part of the definition of adaptive 
security, needed in order to guarantee secure composability of protocols (the 
technical meaning of the requirement is described along with the definition in 
IcddimOH 'I. In contrast, the above three party separating example holds in all 
settings, regardless of whether the PEC requirement is imposed or notQ 



2.2 Separation for Passive Adversaries 
and a Large Number of Players 

In [iCFONtltij . Canetti et al. show an example protocol that separates adaptive 
and non-adaptive security for passive adversaries and a large number of players, 
when only statistical or computational emulation is required. This separation 
holds for universal, IT, and computational security. Very roughly, the protocol 
is based on sharing a secret among a large set of players, making the identity of 
the set very hard to guess for a non-adaptive adversary, but easy for an adaptive 
one. We refer the reader to [ICFGNqtij for details of the example. 

To complete the picture, we show an example that, under standard com- 
plexity assumptions, separates adaptive and non-adaptive security even when 
perfect emulation is required, for the universal or computational security model. 
The example is only sketched here, and the complete proof and definitions of 
the standard primitives used, are deferred to the final version of the paper. 

Our example relies on the existence of perfectly hiding bit commitment 
schemes and collision-intractable hash functions^ For n players, we will need 
to hash n commitments in a collision-intractable manner. Thus, the number of 
players required depends on the strength of the assumption: For n that is poly- 
nomial in the security parameter k, this is a standard assumption, whereas for 
n = Lu(logk) this requires a stronger assumption. For simplicity, we refer below 
to a large number of players, instead of making the explicit distinction based on 
the quality of computational assumption. 

The protocol involves players Pq, Pi, . . . , Pn, where the input of Pq is a func- 
tion h from a family of collision intractable hash functions, and a public key pk 
for a perfectly hiding bit commitment scheme. The input of each other Pi is a 
bit bi- The output of each player is h,pk. The protocol proceeds as follows: 

^ The setting of two parties without PEC is only of interest if we are considering a 
2-party protocol as a standalone application, without composing it with multi-player 
protocols. For this setting, we can prove equivalence of adaptive and non-adaptive 
security in the secure channels model or when the simulation is black box. 

^ This example is an extension of another example given in jCFnNbbj . which uses only 
bit commitment, and works only for black-box simulators. 
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1. Pq sends h,pk to all other players. 

2. Each Pi, i > 1 computes and broadcasts a commitment Ci=commit{pk,bi,ri). 

3. All players output h,pk. 

We allow the adversary to corrupt Pq and in addition any subset of size n/2 of 
the other players. 

Then this protocol is non-adaptively universally secure, with perfect emula- 
tion (since the bit commitment used is perfectly hiding). However, the protocol is 
adaptively insecure (both universally and computationally): Consider an adver- 
sary A that first corrupts Pq, computes the hash function on all the commitments 
sent, and interprets it as a subset of n/2 players to which A subsequently breaks. 
It can then be shown that any simulator for A can be used to either break the 
commitment scheme, or find collisions in h. 

We thus have the following theorem. 

Theorem 4. For passive adversaries and a large number of parties, adaptive 
security is strictly stronger than non-adaptive security, under all notions of se- 
curity except IT with perfect emulation. This holds unconditionally for either 
statistical or computational emulation, and under the assumption that a per- 
fectly hiding hit commitment scheme and a collision intractable hash function 
family exist, for perfect emulation. 

2.3 Equivalence for Passive Adversaries 
and a Small Number of Parties 

This section proves that adaptive and non-adaptive security against a passive 
adversary are equivalent when the number of parties is small. 

Before going into our results, we need to elaborate on a simplifying assump- 
tion we make in this section. As previously mentioned, the pin) definition of 
adaptive security (as well as lRHllMRh1l , in different ways) include a special tech- 
nical requirement, called post-execution corruptibility (PEC). This requirement is 
in general needed in order to guarantee secure composition of protocols in the 
adaptive setting (see jcnniMOT) for more technical details about PEC). 

However, in the particular setting of this section, i.e. passive adversaries and 
a small number of players, it turns out that PEC is an “overkill” requirement 
for guaranteeing composability of protocols. Very informally, the argument for 
this is the following. Let tt and p be protocols that are adaptively secure without 
the PEC property. These protocols are (of course) also non-adaptively secure. 
Since the non-adaptive definition of security is closed under (non-concurrent) 
composition prnj . it follows that the ‘composed’ protocol, Trop, is non-adaptively 
secure. By our result given below, the composed protocol is also adaptively secure 
(without PEC). 

We conclude that in the setting of this section, PEC is not needed to guaran- 
tee adaptively secure composition, and therefore we discuss in this section only 
results that hold without assuming the PEC requirement 0 

® If we were to assume the PEC requirement, we can in fact show a two-party protocol 
which is non-adaptively secure, but adaptively insecure (this is the same example 
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We first note that the general definition takes a simpler form in the passive 
case. In particular, in the passive case we may assume without loss of generality 
that the real-life adversary waits until the protocol terminates, and then starts 
to adaptively corrupt the parties; corrupting parties at an earlier stage is clearly 
of no advantage in the passive case. Similarly, the ideal-process adversary may 
be assumed to corrupt parties after the ideal function evaluation terminates. To 
further ease the exposition, we will make in the remainder of this section the 
following simplifying assumptions: (1) assume that the adversary is determinis- 
tic; (2) assume that the function computed by the protocol is deterministic; and 
(3) ignore auxiliary inputs. The results in this section generalize to hold without 
the above assumptions. 

The Card Game. In attempting to prove equivalence between non-adaptive 
and adaptive security, it may be helpful to picture the following game. Let 
be a monotone adversary structure. The game involves two players, the adversary 
and the simulator, and n distinct cards. The two players are bound to different 
rules, as specified below. 

Adversary. When the adversary plays, the faces of the n cards are picked from 
some (unknown) joint distribution V = {Vi , . . . , Vn) and are initially covered. 
The adversary proceeds by sequentially uncovering cards according to a fixed 
deterministic strategy; that is, the choice of the next card to be uncovered 
is determined by the contents of previously uncovered cards. Moreover, the 
index set of uncovered cards should always remain within the confines of 
the structure B. After terminating, the adversary’s output consists of the 
identity and the contents of all uncovered cards. 

Simulator. The simulator plays in a different room. It is initially given n dis- 
tinct blank cards, all of which are covered. Similarly to the adversary, it is 
allowed to gradually uncover cards, as long as the set of uncovered cards 
remains in B. Its goal is to fill the blank uncovered cards with content, so 
that the final configuration (including the identity and contents of uncov- 
ered cards) is “similarly” distributed to the adversary’s output. (The precise 
sense of this similarity requirement will depend on the specific security set- 
ting.) Note that unless the simulator has some form of access to the unknown 
distribution V, the game would not make much sense. Indeed, we grant the 
simulator the following type of restricted access to V. At each stage, when 
the set of uncovered cards is some b £ B, the simulator may freely sample 
from some fixed distribution 14 which is guaranteed to be “similar” to 14, 
the restriction of V to b. (Again, the type of this similarity depends on the 
setting.) The \B\ distributions 14 may be arbitrarily (or adversarially) fixed, 
as long as they conform to the above similarity condition. 



based on perfectly hiding bit commitment which was mentioned in the end of Sec- 
tion 12.111 . Thus, strictly speaking, there is a separation in this setting under the |cOn| 
definition. The results in other sections hold regardless of whether the PEC require- 
ment is imposed or not. 
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Let us briefly explain the analogy between the above game and the question 
of non-adaptive versus adaptive security. Fix some n-party protocol tt computing 
a deterministic function /, and suppose that tt is non-adaptively secure against 
a passive yB- limited adversary. The n cards correspond to the n parties. The 
distribution V corresponds to the parties’ joint view under an input x, which 
is a-priori unknown. Uncovering the Tth card by the adversary and learning Vi 
corresponds to corrupting the i-th party Pi in the real-life process and learning 
its entire view: its input, random input, communication messages, and output. 
Uncovering the i-th card by the simulator corresponds to corrupting Pi in the 
ideal-model process. Finally, each distribution Vb from which the simulator can 
sample corresponds to a simulation of a non-adaptive adversary corrupting b, 
which exists under the assumption that tt is non-adaptively secure. Note that 
the simulator can access Vb only when all cards in b are uncovered; this reflects 
the fact that the non-adaptive simulation cannot proceed without learning the 
inputs and outputs of corrupted parties. The types of similarity between Vb and 
Vb we will consider are perfect, statistical, and computational, corresponding to 
the type of non-adaptive emulation we assume. We will also consider the relation 
between the computational complexity of the adversary and that of the simula- 
tor, addressing the security variants in which the simulator is computationally 
bounded. 

Remark. The above game models a secure channels setting, in which the ad- 
versary has no information before corrupting a party. To model open channels 
(or a “broadcast” channel) , the distribution V should be augmented with an ad- 
ditional entry Vq, whose card is initially uncovered. The analysis that will follow 
can be easily adapted to deal with this more general setting. 



Perfect Emulation. We first deal with perfect emulation, i.e., the case where 
Vb = Vb for all b G B. In this setting, we show how to construct an adaptive 
simulator running in (expected) time polynomial in the time of the adversary 
and the size of the adversary structure. The construction from this section will 
allow us to prove equivalence of non-adaptive and adaptive security both in the 
information-theoretic case (see Section 12.411 and, when the adversary structure 
is small, in the universal case. 

A black-box simulator. To prove equivalence between non-adaptive and adaptive 
security it suffices to show that for any adversary strategy A there exists a 
simulator strategy S, such that under any distribution V the simulator wins. In 
fact, we will construct a single simulator S with a black-box access to A, and 
later analyze it in various settings. 

A CONVENTION FOR MEASURING THE RUNNING TIME OF BLACK-BOX SIM- 
ULATORS. In the following we view adaptive simulators as algorithms supplied 
with two types of oracles: distribution oracles Vb, implemented by a non-adaptive 
ideal-process adversary (to be referred to as a non-adaptive simulator), and an 
adaptive adversary oracle A. In measuring the running time of a simulator, each 
oracle call will count as a single step. This convention is convenient for proving 



On Adaptive vs. Non-adaptive Security of Multiparty Protocols 273 



universal security: If the protocol has universal non-adaptive security and the 
black-box simulator S runs in expected time poly(fc) then, after substituting 
appropriate implementations of the oracles, the expected running time of S is 
polynomial in k and the expected running time of aE 

In the description and analysis of S we will use the following additional 
notation. By Vb, where v is an n-tuple (presumably an instance of V) and 6C[n] 
is a set, we denote the restriction of v to its 6-entries. For notational convenience, 
we assume that the entries of a partial view Vb, obtained by restricting v or by 
directly sampling from Vb or Vb, are labeled by their corresponding 6-elements 
(so that 6 can be inferred from Vb). We write A 6 if the joint card contents 
(view) V leads the adversary A to uncover (corrupt) the set 6 at some stage. For 
instance, f A 0 always holds. An important observation is that whether u A 6 
holds depends only on Vb- This trivially follows from the fact that cards cannot 
be covered once uncovered. Hence, we will also use the notation v' A 6, where 
v' is a |6|-tuple representing a partial view. 

In our description of the simulator we will adopt the simplified random vari- 
able notation from the game described above, but will revert to the original 
terminology of corrupting parties rather than uncovering cards. 

Before describing our simulator S, it is instructive to explain why a simpler 
simulation attempt fails. Consider a “straight line” simulator which proceeds as 
follows. It starts by corrupting 6 = 0. At each iteration, it samples Vb and runs 
the adversary on the produced view to find the first party outside 6 it would 
corrupt. The simulator corrupts this party, adds it to 6, and proceeds to the 
next iteration (or terminates with the adversary’s output if the adversary would 
terminate before corrupting a party outside 6). This simulation approach fails 
for the following reason. When sampling Vb, the produced view is independent 
of the event which has lead the simulator to corrupt 6. This makes it possible, 
for instance, that the simulator corrupts a set which cannot be corrupted at all 
in the real-life execution. The simulator S, described next, will fix this problem 
by insisting that the view sampled from Vb be consistent with the event that the 
adversary corrupts 6. 

Algorithm of S'. 

1. Initialization: 

Let 6o = 0. The set bi will contain the first i parties corrupted by the 
simulator. 

2. For i = 0, 1, 2, . . . do: 

(a) Repeatedly sample v' A A, (by invoking the non-adaptive simulator) 
until v' A bi (i.e., the sampled partial view would lead A to corrupt bi). 
Let Vi be the last sampled view. (Recall that v' includes the identities of 
parties in bi.) 

^ Note that when the protocol has universal non-adaptive security, a distribution Vb 
can be sampled in expected polynomial time from the view of an ideal-process ad- 
versary corrupting b. 
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(b) Invoke A on Vi to find the index Pi+i of the party which A is about 
to corrupt next (if any). If there is no such party (i.e., A terminates), 
output Vi- Otherwise, corrupt the pi+i-th party, let bi+i = bi U {pi+i}, 
and iterate to the next i. 

The analysis of the simulator 5, appearing in [CDDImOT] . shows that in the 
case of a perfect non-adaptive emulation (Vb = 14): (1) S perfectly emulates A, 
and (2) the expected running time of S is linear in \B\. We may thus conclude 
the following: 

Theorem 5. For function evaluation protocols with passive adversary, universal 
perfect security, and n = O(logfc) parties, adaptive and non-adaptive security 
are equivalent. 



Imperfect Emulation. We next address the cases of statistical and compu- 
tational security against a passive adversary. Suppose that we are given an im- 
perfect (statistical or computational) non-adaptive simulator and attempt to 
construct an adaptive one. If we use exactly the same approach as before, some 
technical problems arise: with imperfect non-adaptive emulation, it is possible 
that a real life adversary A corrupts some set with a very small probability, 
whereas this set is never corrupted in emulated views. As a result, the loop in 
step (2a) of the algorithm of S will never terminate, and the expected time will 
be infinite. Consequently, it is also unclear whether S will produce a good output 
distribution when given access to imperfect non-adaptive simulation oracles 14 . 

We start by showing that when the size of the adversary structure is poly- 
nomial, the simulator S will indeed produce a (statistically or computationally) 
good output distribution even when given access to (statistically or computation- 
ally) imperfect non-adaptive simulators. Moreover, it will turn out that when the 
adversary structure is polynomial, the expected running time of S is polynomial 
except with negligible probability. Later, we define a more sophisticated simulator 
S' which achieves strict expected-polynomial time simulation, at the expense of 
requiring a stronger assumption on the size of the adversary structure. 

Specifically, these results can be summarized by the following theorem, whose 
proof appears in jcnniMOr] . 

Theorem 6. For function evaluation protocols with passive adversary and n = 
0(logfc/loglogfc) parties, adaptive and non-adaptive security are equivalent un- 
der any notion of security. Moreover, with a relaxed notion of efficiency allowing 
a negligible failure probability, the bound on the number of parties can be improved 
to n = 0(log k). 

We remark that Theorem is essentially tight in the following sense: when 
n = w(logfc), adaptive security is separated from non-adaptive security even if 
the adaptive simulator is allowed to be computationally unbounded. 
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2.4 Equivalence for Passive Adversaries and IT Security 

The analysis of the simulation from the previous section implies the following: 

Theorem 7. For function evaluation protocols with passive adversary and per- 
fect information-theoretic security, adaptive and non-adaptive security are equiv- 
alent. 

Note that there is no dependence on the number of players in the above theorem. 

3 Adaptivity vs. Non-adaptivity 

in the Definition of Dodis-Micali-Rogaway 

3.1 Review of the Definition 

For completeness, we start with a very short summary of the definition of secure 
multiparty computation by Micali and Rogaway, more specifically the version 
that appears in the paper by Dodis and Micali mm- For additional details, 
please refer to fP^ . 

We have n players, each player Pi starts with a value Xi as input and auxiliary 
input Oi- We set a = (oi, ...an)',x = (a;i, ..., a;„). 

To satisfy the definition, a protocol tt must have a fixed committal round CR, 
the point at which inputs become uniquely defined, as follows: The traffic of a 
player consists of all messages he sends and receives, tt must specify input- and 
output functions that map traffic to input- and output values for the function / 
computed. The effective inputs xf, ■■■,xf are determined by applying the input 
functions to the traffic of each player up to and including CR. So these values 
are the ones that players “commit to” as their inputs. The effective outputs 
yf,...,yf are determined by applying the output functions to the entire traffic 
of each player. 

For adversary A (taking random input and auxiliary input a), random vari- 
able View{A,'K) is the view of A when attacking tt. We define: 

History{A,Tr) = View{A,n),x'^ ,y'^ 

The way A interacts with the protocol is as follows: in each round, A sees all 
messages from honest players in this round. He may then issue some number of 
corruption requests adaptively, and only then must he generate the messages to 
be sent to the remaining honest players. 

The definition calls for existence of a simulator S which may depend on 
the protocol in question, but not the adversary. The goal of the simulator is to 
sample the distribution of History(A, tt). To do so, it is allowed to interact with 
A, but it is restricted to one-pass black-box simulation with no bound on the 
simulator’s running time, i.e., A interacts with S in the same way it interacts 
with 7T, and S is not allowed to rewind A. The simulator S gets an oracle O as 
help (where the oracle knows x,a): 
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— If Pj is corrupted before CR, the oracle sends xj,aj to S. 

— At CR, S applies the input functions to the view of A it generated so far 
to get effective inputs of corrupted players Xj. It sends these values to O. 
O computes the function choosing random input r and using as input the 
values it got from S for corrupted players and the real Xj’s for honest players. 
The result is = {yf , ). O sends the results for corrupted players back 
to S. 

— If Pj is corrupted in or after CR, O sends Xj, aj,yj to S. 

The random variable View{A,S) is the view of A when interacting with S. 
The effective inputs x^ are as defined above, i.e., if a Pj is corrupted before CR, 
then his effective input x^ is determined by the input function on his traffic, else 
Xj = Xj. The effective outputs y^ are defined as what the oracle outputs, i.e. 
yS = f{x^,r). 

History{A,S) = View{A,S),x^ 

We can now define that tt computes / securely iff there exists a simulator S 
such that for every adversary A, and every x, a, a, 

History{A,S) = History{A,Tr) 

i.e., the two variables have identical distributions. 

At first sight it may seem strange that the definition does not explicitly 
require that players who are honest up to CR actually commit to their real 
inputs, or that players who are never corrupted really receive “correct” values. 
But this follows from the definition: 

Lemma 1. If tt computes f securely, then the input- and output functions are 
such that if Pj remains honest up to CR, then xf = Xj . And if Pj is never 
corrupted, then yf is the j’th component of f{SA ,r), for a random r. 

Proof. Consider an adversary Aj that never corrupts Pj. Then the first claim 
follows from Xj = xf and History{Aj ,S) = History{Aj,Tr). The second follows 
from History{Aj,S) = History{Aj,Tr) and the fact that the correlation yf = 
f{x^,r)j between x^ and y^ always holds. 

Note that this lemma continues to hold, even if we only assume static security. 



3.2 Equivalence of Adaptive and Non-adaptive Security 

It turns out to be convenient in the following to define the notion of a partial 
history, of an adversary A that either attacks tt or interacts with a simulator. 
A partial history constrains the history up to a point at the start of, or inside 
round j for some j. That is, round j — 1 has been completed but round j has 
not. If j < CR, then such a partial history consists of a view of the adversary 
up to round j, and possibly including some part of round j. If j > CR, but 
the protocol is not finished, a partial history consists of a partial view of A as 
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described before plus the effective inputs. Finally, if the protocol is finished at 
round j, the history is as defined earlier: complete view of A plus the effective 
inputs and outputs. 

Note that if S is such that History{A,Tr) = History{A,S), then trivially it 
also holds that the partial histories of A, tt and of A, S ending at any point are 
identically distributed. Moreover, since S never rewinds, the value of the partial 
history of A, S at some point in time will be fixed as soon as S has reached that 
point in the simulation. 

We can then slightly extend the actions an adversary can take: a halting 
adversary A' is one that interacts with protocol or simulator in the normal way, 
but may at any point output a special halting symbol and then stop. In the 
simulation, if the simulator receives such a symbol, the simulation process also 
stops. The histories History{A' , tt) , History{A' , S) are defined to be whatever 
the partial history is at the point when A stops. 

Trivially protocol tt is secure in the above definition if and only if, for any 
halting adversary A! , History{A' , tt) = History{A',S). Note that this extension 
of the definition does not capture any new security properties, it is simply a 
“hack” that turns out to be convenient in the proof of the following theorem. 

In the following we assume that there exists a static (non-adaptive) simulator 
5o such that for every static adversary Ao, and every x, a, a, 

History{Ao,So) = History{Ao,Tr) 

We want to make a general simulator S that shows that tt in fact is secure 
against any adaptive adversary A, in other words, we claim 

Theorem 8. Adaptive and non-adaptive security are equivalent under the 
Dodis-Micali-Rogaway definition. 

To this end, we construct a static adversary Ab (of the halting type), for 
every set B that it is possible for A to corrupt. Ab plays the following strategy, 
where we assume that Ab is given black-box access to (adaptive) adversary A, 
running with some random and auxiliary inputs r _4 and 00: 

Algorithm of Ab 

1. Corrupt the set B initially. For each Pj G B, initialize the honest algorithm 
for Pj, using as input Xj,aj learnt from corrupting Pj (and fresh random 
input). 

2. Start executing the protocol, initially letting the players in B play honestly, 
but keeping a record of their views. At the same time, start running A. 

3. Whenever A issues a corruption request for player Pj, we do the following: 
if Pj G B, we provide A with Xj,aj and all internal data of Pj. After this 
point, all messages for Pj are sent to A, and we let A decide the actions of 
Pj from this point. If Pj ^ B, output a halt symbol and stop. 

® We could also have given r^, a as input to Ab, letting it simulate the algorithm of 
A, but the set-up we use is more convenient in the following. 
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The idea in the following is to use the assumed ability (by 5 q) to generate 
histories of Ab attacking tt to generate histories of A attacking tt. Note that 
in any round of tt, the current history of Ab contains both the (so far honest) 
history of 0 or more players that A has not yet corrupted, plus the view so far 
of A. So for any such (partial) history u of Ab, we let Aview{u) be the view of 
A that can be extracted from u in the natural way. 

In particular, if u is a history of Ab that ends after the final round of the 
protocol, then Aview{u) is a complete view of A where A corrupted only players 
in B, whereas if u ends before the protocol is complete, Aview{u) ends in the 
some round where A requested to corrupt some player outside B. 

We are now ready to describe how a simulator S can be constructed. The 
full algorithm and analysis of S are omitted for lack of space, and appear in 
pnnmMOIj. Here we give only the basic idea: 

From the beginning, A has not corrupted any players. So we can create the 
start of a history by running (H0,S'o) (recall that runs A “in the back- 
ground”). This will stop as soon as A corrupts the first player Pj. Say this 
happens in round i. Let v be the view of A we obtain from this. Recall that Sq 
provides perfect emulation. This means that in real life when A attacks F, we 
would with the same probability obtain a history where up to round i, A obtains 
view V and all players including Pj have been honest. 

Now, by construction of ^{p } this same history up to round i can also be 
realized by ^{p„} attacking F\ the only difference is that from the beginning 
A[p.y and not the j’th player runs the honest algorithm of Pj. And again by 
assumption on Sq, the history can also be realized by A^p.j. interacting with Sq. 

We can therefore (by exhaustive search over the random inputs) generate a 
random history of Sq interacting with A^p.j, conditioned on the event that the 
view V for A is produced in the first i rounds (and moreover, this can be done 
without rewinding A). This process may be inefficient, but this is no problem 
since we consider IT-security here. Once we succeed, we let (S'o, A^p.j) continue 
to interact until they halt, i.e., we extend the history until the protocol is finished 
or A corrupts the next player (say Pj'). In the former case, we are done, and 
otherwise we continue in the same way with A^p^ p^,y. 

Once we finish the OR, the effective inputs will be determined, and we will 
get resulting outputs from the oracle. Note here that since we only consider one- 
pass blackbox simulation, we will never need to rewind back past the OR, which 
might otherwise create problems since then A could change its mind about the 
effective inputs. Thus also the one-pass black-box requirement is essential for 
the proof. 
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Abstract. We introduce a new approach to multiparty computation 
(MFC) basing it on homomorphic threshold crypto-systems. We show 
that given keys for any sufficiently efficient system of this type, general 
MFC protocols for n parties can be devised which are secure against 
an active adversary that corrupts any minority of the parties. The total 
number of bits broadcast is 0{nk\C\), where k is the security parameter 
and |C| is the size of a (Boolean) circuit computing the function to be 
securely evaluated. An earlier proposal by Franklin and Haber with the 
same complexity was only secure for passive adversaries, while all earlier 
protocols with active security had complexity at least quadratic in n. 
We give two examples of threshold cryptosystems that can support our 
construction and lead to the claimed complexities. 



1 Introduction 



The problem of multiparty computation (MFC) dates back to the papers by 
Yao |Yao82| and Goldreich et al. IdMWSYI . What was proved there was basi- 
cally that a collection of n parties can efficiently compute the value of an n-input 
function, such that everyone learns the correct result, but no other new informa- 
tion. More precisely, these protocols can be proved secure against a polynomial 
time bounded adversary who can corrupt a set of less than n/2 parties initially, 
and then make them behave as he likes, we say that the adversary is active. 
Even so, the adversary should not be able to prevent the correct result from 
being computed and should learn nothing more than the result and the inputs 
of corrupted parties. Because the set of corrupted parties is fixed from the start, 
such an adversary is called static or non-adaptive. 

There are several proposals on how to define formally the security of such 
protocols pVTH.flllBea.DIICa.nflflj , but common to them all is the idea that security 
means that the adversary’s view can be simulated efficiently by a machine that 
has access to only those data that the adversary is entitled to know. 
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Proving correctness of a simulation in the case of requires a com- 

plexity assumption, such as existence of trapdoor one-way permutations. This is 
because the model of communication considered there is such that the adversary 
may see every message sent between parties, this is known as the cryptographic 
model. Later, unconditionally secure MPC protocols were proposed by Ben-Or 
et al. and Chaum et al. [H(lW88K X II )88| . in the model where private channels 
are assumed between every pair of parties. In this paper, however, we are only 
interested in the cryptographic model with an active and static adversary. 

Over the years, several protocols have been proposed which, under specific 
computational assumptions, improve the efficiency of general MPC, see for in- 
stance j( ;i )IVI()()fCR RD8j . Virtually all proposals have been based on some form 
of verifiable secret sharing (VSS), i.e., a protocol allowing a dealer to securely 
distribute a secret value s among the parties, where the dealer and/or some of 
the parties may be cheating. The basic paradigm is to ensure that all inputs and 
intermediate values in the computation are VSS’ed; this prevents the adversary 
from causing the protocol to terminate early or with incorrect results. In all these 
earlier protocols, the number of bits sent was f2(n‘^k\C\), where n is the number 
of parties, fc is a security parameter, and \C\ is the size of a circuit computing 
the function. Here, C may be a Boolean circuit, or an arithmetic circuit over a 
finite field, depending on the protocol. 

In jFH.96j Franklin and Haber propose a protocol for passive adversaries 
which achieves complexity 0{nk\C\). This protocol is not based on VSS (there is 
no need since the adversary is passive) but instead on a so called joint encryption 
scheme, where a ciphertext can only be decrypted with the help of all parties, 
but still the length of an encryption is independent of the number of parties. 



2 Our Results 

In this paper, we present a new approach to building multiparty computation 
protocols with active security, namely we start from any secure threshold en- 
cryption scheme with certain extra homomorphic properties. This allows us to 
avoid the need to VSS all values handled in the computation, and therefore leads 
to more efficient protocols, as detailed below. 

The MPC protocols we construct here can be proved secure against an active 
and static adversary who corrupts any minority of the parties. Like the protocol 
of [KHhtij , our construction requires an initial phase where keys for the threshold 
cryptosystem are set up. This can be done by a trusted party, or by any suitable 
MPC. In particular, the techniques of Damgard and Koprowski [HKITTI could be 
used to make this phase reasonably efficient for the example cryptosystems we 
present here (see below) . We stress that unlike some earlier proposals for prepro- 
cessing in MPC, the complexity of this phase does not depend on the number or 
the size of computations to be done later. In the following we therefore focus on 
the complexity of the actual computation. In our protocol the computation can 
be done only by broadcasting a number of messages, no encryption is needed 
to set up private channels. The complexities we state are therefore simply the 
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number of bits broadcast. This does not invalidate comparison with earlier pro- 
tocols because first, the same measure was used in |FH96| and second, the earlier 
protocols with active security have complexity quadratic in n even if one only 
counts the bits broadcast. Our protocol has complexity 0{nk\C\) bits and re- 
quires 0{d) rounds, where d is the depth of C. To the best of our knowledge, this 
is the most efficient general MFC protocol proposed to date for active adver- 
saries. Note that all complexities stated here and in the previous section are for 
computing deterministic functions. Probabilistic functions can be handled using 
standard techniques, see Section l8.1l for details. 

Here, C is an arithmetic circuit over a ring R determined by the crypto- 
system used, e.g., R — Z for an RSA modulus N, or R = GF{2^). While such 
circuits can simulate any Boolean circuit with a small constant factor overhead, 
this also opens the possibility of building an ad-hoc circuit over R for the desired 
function, possibly exploiting the fact that with a large R, we can manipulate 
many bits in one arithmetic operation. 

The complexities given here assume existence of sufficiently efficient thresh- 
old cryptosystems. We give two examples of such systems with the right prop- 
erties. One is based on Paillier’s cryptosystem |Pai99j and Damgard and Jurik’s 
generalisation thereof |D,T01] . the other one is a variant of Franklin and Haber’s 
cryptosystem [EHSI, which is secure assuming that both the QR assumption 
and the DDH assumption are true (this is essentially the same assumption as 
the one made in (FH96j ) . While the first example is known (from |D,TQ1IFPS0Q| 1. 
the second is new and may be of independent interest. 

Franklin and Haber in Esna left as an open problem to study the communi- 
cation requirements for active adversaries. We can now say that under the same 
assumption as theirs, active security comes essentially for free. 

2.1 Concurrent Related Work 

In concurrent independent work, Jacobson and duels |MJ00j present an idea for 
MPC somewhat related to ours, the mix-and-match approach. It too is based on 
threshold encryption (with extra algebraic properties, similar to, but different 
from the ones we use). Beyond this, the techniques are completely different. For 
Boolean circuits and in the random oracle model, they get the same message 
complexity as we obtain (without using random oracles) . The round complexity 
is larger than ours (namely 0(n + d)). Another difference is that mix-and-match 
is inherently limited to circuits where gates can be specified by constant size 
truth-tables, thus excluding arithmetic circuits over large rings. On the other 
hand, while mix-and-match can be based on the DDH assumption alone, it is 
not known if this is possible for our notion of threshold homomorphic encryption. 

In jMHOOj . Hirt, Maurer and Przydatek show an MPC protocol designed for 
the private channels model. It can be transformed to our setting by implementing 
the channels using secure public-key encryption. This results in protocol that can 
be based on any secure public-key encryption scheme, with essentially the same 
communication complexity as ours, but with lower resilience, i.e. tolerating only 
less than n/3 active cheaters. 
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3 An Informal Description 

In this section, we give an informal introduction to some main ideas. All the 
concepts introduced here will be treated more formally later in the paper. We 
will assume that from the start, the following scenario has been established: 
we have a semantically secure threshold public-key system given, i.e., there is 
a public encryption key pk known by all parties, while the matching private 
decryption key has been shared among the parties, such that each party holds a 
share of it. 

The message space of the cryptosystem is assumed to be a ring R. In practice 
R might be Zjv for some RSA modulus N. For a plaintext a G R, we let a 
denote an encryption of a. We then require certain homomorphic properties: 
from encryptions a, b, anyone can easily compute an encryption of a -I- 6, which 
we denote affl b. We also require that from an encryption a and a constant a G R, 
it is easy to compute a random encryption of aa. 

Finally we assume that three secure and efficient protocols are available: 

Proving you know a plaintext If has created an encryption a, he can give 
a zero-knowledge proof of knowledge that he knows a. 

Proving multiplications correct Assume that Pi is given an encryption d, 
chooses a constant a, computes a random encryption aa and broadcasts 
a, aa. He can then give a zero-knowledge proof that indeed od contains the 
product of the values contained in a and d. 

Threshold decryption For the third protocol, we have common input pk and 
an encryption d, in addition every party also uses his share of the private 
key as input. The protocol computes securely a as output for everyone. 

We can then sketch how to perform securely a computation specified as a 
circuit doing additions and multiplications in R. 

The MFC protocol would simply start by having each party publish encryp- 
tions of his input values and give zero-knowledge proofs that he knows these 
values and also, if we are simulating a Boolean circuit, that the values are 0 or 
1. Then any operation involving addition or multiplication by constants can be 
performed with no interaction. This leaves only the following problem: Given en- 
cryptions d, b (where it may be the case that no parties knows a nor b) , compute 
securely an encryption of c = ab. This can be done by (a slightly more elaborate 
version of) the following protocol: 

1. The parties generate an additive secret sharing of a: 

(a) Each party Pi chooses at random a value di G R, broadcasts an encryp- 
tion di, and proves he knows di. Let d denote X^r=i 

(b) The parties use the third protocol to decrypt d ffl di ffl ... ffl d„. 

(c) Party Pi sets oi = (a -I- d) — di, all other parties Pi set ai = —di. Note 
that a = Hi- 

2. Each Pi broadcasts an encryption aib, and invoke the second protocol with 
inputs b,Oi and aib. 
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3. Let H be the set of parties for which the previous step succeeded, and let C 
be the complement of H. The parties decrypt ffligcoi, learn ac = 
and compute acb. From this, and {aib\ i G H}, all parties can compute an 
encryption (Sii^HO,ib) ffl acb, which is indeed an encryption of ab. 

At the final stage we know encryptions of the output values, which we can 
just decrypt. Intuitively this is secure if the encryption is secure because, other 
than the outputs, only random values and values already known to the adversary 
are ever decrypted. We will give proofs of this intuition in the following. 

The above multiplication protocol is a more efficient version of a related idea 
from |FH9B| , where we have exploited the homomorphic properties to add protec- 
tion against faults without loosing efficiency. Other papers have exploited homo- 
morphic properties to construct efficient protocols for multiplication. In mm 
Goldreich and Vainish used the homomorphic properties of the QR problem 
to construct a two-party protocol for multiplication over GF{2) and in 
Kurosawa and Kotera generalised it to GF{L) for small L using the homomor- 
phic properties of the Lth residuosity problem. Using also the Lth residuosity 
problem IKur m constructs an efficient ZKIP for multiplication over GF{L). 

4 Preliminaries and Notation 

Let A be a probabilistic polynomial time (PPT) algorithm, which on input x G 
{0,1}* and random bits r G {0,1}* outputs a value y G {0,1}*. We write 
y •<— A(x)[r] to denote that y should be computed by running A on a; and r. By 
y •«— A (a;) we mean that y should be computed using uniformly random r and 
by y G A(x) we mean that y is among the values, that A(a;) outputs. 

4.1 The MPC Model 

We prove security in the MPC model from !CTi| . with an open authenticated 
broadcast channel, against active non-adaptive adversaries corrupting any mi- 
nority of the parties. We index the parties by IV = {1, . . . ,n} and let C C 
denote the subset of corrupted parties, k is the security parameter, and Xi 
is the secret input of party Pi. We study functions giving a common output 
y = f{xi, . . . ,Xn)- We extend the model to handle this by saying that oracles 
for such functions broadcast y on the broadcast channel. This to assure that 
the ideal-model adversary learns the public output even though no party is cor- 
rupted. The technical report fClJlNOOj contains a more detailed description of the 
model. In the following we let secure mean secure against minority adversaries. 

4.2 IT-protocols 

In this section, we look at two-party zero-knowledge protocols of a particular 
form. Assume we have a binary relation R consisting of pairs {x,w), where we 
think of a; as a (public) instance of a problem and w as a, witness, a solution 
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to the instance. Assume also that we have a 3-move proof of knowledge for R-. 
this protocol gets a string x as common input for prover and verifier, whereas 
the prover gets as private input w such that (x,w) € R. Conversations in the 
protocol are of form (a,e,z), where the prover sends a, the verifier chooses e 
at random, the prover sends z, and the verifier accepts or rejects. There is a 
security parameter k, such that the length of both x and e are linear in k. We 
will only look at protocols where also the length of a and z are linear in k. Such 
a protocol is said to be a S-protocol if we have the following: 

~ The protocol is complete: if the prover gets as private input w such that 
{x, w) € R, the verifier always accepts. 

— The protocol is special honest verifier zero-knowledge: from a challenge value 
e, one can efficiently generate a conversation (a, e, z), with probability distri- 
bution equal to that of conversation between the honest prover and verifier 
where e occurs as challenge. 

— A cheating prover can answer only one of the possible challenges: more pre- 
cisely, from the common input x and any pair of accepting conversations 
{a,e, z),{a,e' , z') where e yf e', one can compute efficiently w such that 
(cc, w) G R. 

It is easy to see that the definition of A-protocols is closed under parallel 
composition. 

5 Threshold Homomorphic Encryption 

In this section we formalise the notion of threshold homomorphic encryption. 

Definition 1 (Threshold Encryption Scheme). We call the tuple (AT, KD, 
i?, if , Decrypt) a threshold encryption scheme if the following holds. 

Key space The key space K = {KfelfegAT is a family of finite sets of keys of the 
form {pk, ski, ■ ■ ■ , skn). We call pk the public key and call ski the private key 
share of party i. There exists a PPT key-generator K which given k generates 
a random key {pk, ski, • ■ • > skn) ^ K{k) from K^. By skc for C C N we 
denote the family {sfcdieC- 

Key-generation There exists a n-party protocol KD securely evaluating the 
key-generator K. 

Message Sampling There exists a PPT algorithm R, which on input pk out- 
puts a uniformly random element from a set Rpk- We write m ^ Rpk- 
Encryption There exists a PPT algorithm E, which on input pk and m G Rpk 
outputs an encryption m ^ Epk{m) of m. By Cpk we denote the set of 
possible encryptions for the public key pk. 

Decryption There exists a secure protocol Decrypt which on common input 
{M,pk), and secret input ski for the honest party Pi, where ski is the secret 
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key share of the public key pk and M is a set of encryptions of the messages 
M C Rpk, returns M as common outputl^ 

Threshold semantic security Let A be any PPT algorithm, which on input 
1^, C such that \C\ < n/2, public key pk, and corresponding private keys skc 
outputs two messages mo,mi € Rpk and some arbitrary value s € {0,1}*. 
Let Xi{k,C) denote the distribution of (s,Ci), where {pk, sk\, . . . ,skn) ^ 
K{k), {mo,mi, s) ^ A{1^ ,C,pk, skc) , and Ci ^ Epk{mi). Then Xi = 
{Xi{k,C)}k£N,c-.\C\<n /2 fori = 0,1 are distribution ensembles over the in- 
dex set (C'llC'l < n/2| and we require that Xq k. Xi. 

A threshold homomorphic encryption scheme in addition has these properties: 

Message ring For all public keys pk, the message space Rpk is a ring in which 
we can compute efficiently using the public key only. We denote the ring 

{Rpk: ‘pk : A pk : Opfc , Ipfc ) . 

+pfc-homomorphic There exists a PPT algorithm, which given public key pk 
and encryptions toi S Epk{mi) and m 2 S Epk{m 2 ) outputs a uniquely 
determined encryption m S Epk{m\ +pk m 2 ). We write m ^ mi fflpfc m 2 - 
Further more there exists a similar algorithm, Bps,, for subtraction. 

Multiplication by constant There exists a PPT algorithm, which on input 
pk, mi € Rpk and m 2 € Epk{m 2 ) outputs a random encryption m ^ 
Epk{mi -pk m 2 ). We write m ^ mi Bpfc m 2 € Epk{mi -pk m 2 ). We assume 
that we can also multiply a constant from the right. 

Blindable There exists a PPT algorithm Blind, which on input pk, fh G Epk{m) 
outputs an encryption m' G Epk{m) such that m' is distributed identically 
to Epk{m)[r\, where r is chosen uniformly random. 

Check of ciphertextness Given y G {0, 1}* and pk, where pk is a public key, 
it is easy to check whether y S Cpka 

Proof of plaintext knowledge Let Li = {{pk,y)\pk a public key Ay G Cpk}- 
There exists a A-protocol for the relation over Lx x ({0, 1}*)^ given by 
{pk,y) - (a;,r) 2 : G Rpk Ay = Epk{x)[r]. 

Proof of correct multiplication Let L 2 = {{pk,x,y, z)\pk is a public key A 
x,y,z G Cpk}. There exists a A-protocol for the relation over L2x(|0,l}*)^ 
given by {pk,x,y,z) ^ {d,ri,r 2 ) Ak y = Epk{d)[r{\ Az= (dBpfe x)[r 2 \. 



^ We need that the Decrypt protocol is secure when executed in parallel. The MPC- 
model in [( ianOO) is however not security preserving under parallel composition, so 
we have to state this required property of the Decrypt protocol by simply letting 
the input be sets of ciphertexts. 

^ This check can be either directly or using a T'-protocol: we will always use the test in 
a context, where a party publishes an encryption and then the recipients either check 
locally that y G Cpk or the publisher proves it using a A'-protocol. In the following 
sections we adopt the terminology to the case, where the recipients can perform the 
test locally. Details for the case where a X'-protocol is used are easy extractable. 
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6 Multiparty 17-Protocols 

In Section 0we describe how to implement general multiparty computation from 
a threshold homomorphic encryption scheme, but as the first step towards this 
we show how one can generally and efficiently extend two-party ^-protocols, as 
those for proof of plaintext knowledge and proof of correct multiplication in a 
threshold homomorphic encryption scheme, into secure multiparty protocols. We 
will need two essential tools in this section: the notion of trapdoor commitments 
and a multiparty protocol for generating a sufficiently random bit string. Our 
underlying purpose here is to allow a party to prove a claim using a if-protocol 
such that all other parties will be convinced and to do it much more efficiently 
than doing the original Z'-protocol independently with each of the other parties. 

6.1 Generating (Almost) Random Common Challenges 

First of all we want to be able to generate a common challenge for the S- 
protocols. Suppose first that n < 16/c. Then we create a challenge by letting 
every party choose at random a [2fc/n]-bit string, and concatenate all these 
strings. This produces an m-bit challenge, where 2k < m < 16k. We can assume 
without loss of generality that the basic H-protocol allows challenges of length 
m bits (if not, just repeat it in parallel a number of times). It is easy to see 
that with this construction, at least k bits of a challenge are chosen by honest 
parties and are therefore random, since a majority of parties are assumed to be 
honest . This is equivalent to doing a i7-protocol where the challenge length is the 
number of bits chosen by honest parties. The cost of doing such a proof is 0{k) 
bits. If n > I6A:, we will assume, as detailed later, that an initial preprocessing 
phase returns as public output a description of a random subset A of the parties, 
of size Ak. It is easy to see that, except with probability exponentially small in fc, 
A will contain at least k honest parties. We then generate a challenge by letting 
each party in A choose one bit at random, and then continue as above. 

6.2 Trapdoor Commitments 

A trapdoor commitment scheme can be described as follows: first a public key 
pk is chosen based on a security parameter k, by running a PPT generator G. 

There is a fixed function commit that the committer C can use to com- 
pute a commitment c to s by choosing some random input r, computing c = 
commit{s, r,pk), and broadcasting c. Opening takes place by broadcasting s, r; it 
can then be checked that commit{s,r,pk) is the value C broadcasted originally. 
We require the following: 

(Perfect) Hiding For a pk correctly generated by G, uniform r, r' and any s, s' , 
the distributions of commit{s,r,pk) and commit {s' , r' , pk) are identical. 
(Computational) Binding For any G running in expected polynomial time 
(in k) the probability that G on input pk computes s,r, s',r' such that 
commit {s,r,pk) = commit{s' , r' , pk) and s yf s' is negligible. 
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Trapdoor Property The algorithm for generating pk also outputs a string 
t, the trapdoor. There is an efficient algorithm which on input t^pk out- 
puts a commitment c, and then on input any s produces r such that c = 
commit{s,r,pk) . The distribution of c is identical to that of commitments 
computed in the usual way. 

In other words, the commitment scheme is binding if you know only pk, but given 
the trapdoor, you can cheat arbitrarily. Finally, we also assume that the length 
of a commitment to s is linear in the length of Existence of commitments 
with all these properties follow in general merely from existence of if-protocols 
for hard relations, and this assumption in turn follows from the properties we 
already assume for the threshold cryptosystems. For concrete examples that 
would fit with the examples of threshold encryption we use, see Enna. 

6.3 Putting Things Together 

In our global protocol, we assume that the initial preprocessing phase indepen- 
dently generates for each party Pi a public key ki for the trapdoor commitment 
scheme and distributes it to all participating parties. We may assume in the 
following that the simulator for our global protocol knows the trapdoors U for 
(some of) these public keys. This is because it is sufficient to simulate in the hy- 
brid model where parties have access to a trusted party that will output the fc^’s 
on request. Since this trusted party gets no input from the parties, the simulator 
can imitate it by running G itself a number of times, learning the trapdoors, and 
showing the resulting ki’s to the adversary. 

In our global protocol there are a number of proof phases. In each such phase, 
each party in some subset is supposed to give a proof of knowledge: each Pi 
in the subset has broadcast an Xi and claims he knows Wi such that {xi,Wi) is in 
some relation Ri which has an associated if-protocol. We then do the following: 

1. Each Pi in N' computes the first message in his proof and broadcasts 
Ci = commit {ai,ri,ki)^ 

® In principle any commitment scheme can be transformed to fulfil this. Assume that a 
scheme C has commitments of length k'^ and consider the modified scheme C' which 
on security parameter k runs C on security parameter k' — kf^’^ . This scheme is 
still a commitment scheme as is still negligible and now the commitments has 
length k. However in the new scheme the basic cryptographic primitives providing 
the security is instantiated at a much lower key-size, and indeed such a reduction 
is only weakly security jareserwng lpactjbl . The remaining reductions in this paper 
are all polynomially security preserving and for the security of the protocol to be 
polynomially preserved relative to the underlying computational assumptions the 
above reduction should be avoided. 

^ The subset N' is the subset of the parties that still participate, i.e. have not been 
excluded due to deviation from the protocol. 

® The intuition behind the use of (independently generated instances) of perfectly 
hiding trapdoor commitments in the proofs of knowledge of e.g. a plaintext is to 
avoid malleability issues, and to ensure “independence of inputs” where necessary. 
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2. Make random challenge e according to the method described earlier. 

3. Each Pi in N' computes the answer Zi to challenge e, and broadcasts Oj, rj, Zi 

4. Every party can check every proof given by verifying Cj = commitiai, ki) 
and that (ai,e,Zi) is an accepting conversation. 

It is clear that such a proof phase has communication complexity no larger 
than n times the complexity of a single if-protocol, i.e. 0{nk) bits. We denote the 
execution of the protocol by {A',N") ^ S{A, xn' ,WH nN' , kN), where A is the 
state of the adversary before the execution, xn' = {xi}i^ n' are the instances that 
the parties N' are to prove that they know a witness to, whcn' = {wi}i^Hr\N' 
are witnesses for the instances Xi corresponding to honest Pi, fcjv = {ki}i^N is 
the commitment keys for all the parties. A' is the state of the adversary after 
the execution, and N" C JV' is the subset of the parties completing the proof 
correctly. The reason why the execution only depends on the witnesses wanN' is 
that the corrupted parties are controlled by the adversary and their witnesses, 
if even well-defined, are included in the start-state A of the adversary. 

Now let tn = {U}i(^H be the commitment trapdoors for the honest parties. 
We describe a procedure {A' , N" ,WN»r\c) ^ Se{A,xn' AhAm) that will be 
used as subroutine in the simulation of our global protocol. Ss{A,xn' An , tH) 
will have the following properties: 

— Ss{A,xn' An Ah) runs in expected polynomial time and the part {A' ,N”) 
of the output is perfectly indistinguishable from the output of a real execu- 
tion S{A,xn' ,WHr\N' An) given the start state A of the adversary (which 
we assume includes xn' and k^)- 

— Except with negligible probability WN"nC = {wi}i^N"nC are valid witnesses 
to the instances Xi corresponding the corrupted parties completing the proofs 
correctly. 

The algorithm of Ss is as follows: 

1. For each if Pi is honest, use the trapdoor ti for ki to compute a commit- 
ment Ci that can be opened arbitrarily and show Ci to the adversary. If Pi is 
corrupt, receive Ci from the adversary. 

2. Run the procedure for choosing the challenge, choosing random contributions 
on behalf of honest parties. Let Bq be the challenge produced. 

3. For each Pi do (where the adversary may choose the order in which parties 
are handled): If Pi is honest, run the honest verifier simulator to get an 
accepting conversation (a^, Bq, Zi). Use the commitment trapdoor to compute 
Xi such that c, = eommit{ai,ri) and show {ai,ri,Zi) to the adversary. If Pi 
is corrupt, receive (oi,ri,Zi) from the adversary. 

The current state A' of the adversary and the subset N" of parties correctly 
completing the proof is copied to the output from this simulation subroutine. 
In addition, we now need to find witnesses for Xi from those corrupt Pi that 
sent a correct proof in the simulation. This is done as follows: 

4. For each corrupt Pi that sent a correct proof in the view just produced, 
execute the following loop: 
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(a) Rewind the adversary to its state just before the challenge is produced. 

(b) Run the procedure for generating the challenge using fresh random bits 
on behalf of the honest parties. This results in a new value ei. 

(c) Receive from the adversary proofs on behalf of corrupted parties and 
generate proofs on behalf of honest parties, w.r.t. Ci, using the same 
method as in Step 3. If the adversary has made a correct proof o', r', e', z\ 
on behalf of Pi, exit the loop. Else go to StepEal 

If Co ^ Cl and = a' compute and output a witness for Xi, from the 
conversations (at, cq, Zi), {a'i, ei, z'). Else output Ci, ai, rt, a'i, r[ (this will be a 
break of the commitment scheme) . Go on to next corrupt Pi . 

It is clear by inspection and assumptions on the commitments and H-proto- 
cols that the part {A' , N") of the output is distributed correctly. For the running 
time, assume Pi is corrupt and let e be the probability that the adversary outputs 
a correct ai,Xi,Zi given some fixed but arbitrary value View of the adversary’s 
view up to the point just before e is generated. Observe that the contribution 
from the loop to the running time is e times the expected number of times the 
loop is executed before terminating, which is 1 /e, so that to the total contribution 
is 0(1) times the time to do one iteration, which is certainly polynomial. As for 
the probability of computing correct witnesses, observe that we do not have 
to worry about cases where e is negligible, say e < 2“^/^, since in these cases 
Pi ^ N" with overwhelming probability. On the other hand, assume e > 2“^/^, 
let e denote the part of the challenge e chosen by honest parties, and let pr() be 
the probability distribution on e given the view View and given that the choice 
of e leads to the adversary generating a correct answer on behalf of Pi. Clearly, 
both e"o and ej are distributed according to pr{). Now, the a priori distribution of 
e is uniform over at least 2^ values. This, and e > 2“^/^ implies by elementary 
probability theory that pr{e) < 2“^/^ for any e, and so the probability that 
eb = ej is < 2“^/^. We conclude that except with negligible probability, we will 
output either the required witnesses, or a commitment with two different valid 
openings. However, the latter case occurs with negligible probability. Indeed, if 
this was not the case, observe that since the simulator never uses the trapdoors 
of ki for corrupt Pi, the simulator together with the adversary could break 
the binding property of the commitments. Formulating a reduction proving this 
formally is straightforward and is left to the reader. 

7 General MPC 

from Threshold Homomorphic Encryption 

Assume that we have a threshold homomorphic encryption scheme as described 
in Section 0 In this section we describe the FuncEval f protocol which securely 
computes any polynomial time computable n-party function y •<— f{xi , . . . , Xn) 
using a uniform polynomially sized family of arithmetic circuits over Rpk- 

Our approach works for any reasonable encoding of / as an arithmetic circuit. 
This can allow for efficient encodings of arithmetic function if one can exploiting 
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knowledge about the rings Rpk over which the function is evaluated. For simplic- 
ity we will however here assume that / is encoded using a circuit taking inputs 
from {Opk, Ipfc}, using -h, — , and • gates, and using the same circuit for a fixed 
security parameter. Since our encryption scheme is only -|- and — homomorphic 
we will be needing a protocol Mult for securely computing an encryption of 
'mi ‘pk m 2 given encryptions of mi and m 2 . 

We assume that the parties has access to a trusted party Preprocess, which 
at the beginning of the protocol outputs a public value {ki , . . . , fc„), where ki is a 
random public commitment key for a trapdoor commitment scheme as described 
in Section El If n > 16fc then further more the trusted party returns a public 
description of a random 4fc-subset of the parties as described in Section mH 
As described in Section El we can then from the A-protocols of the threshold 
homomorphic encryption scheme for proof of plaintext knowledge and correct 
multiplication construct n-party versions, which we call POPK resp. POCM. The 
corresponding versions of our general simulation routine Se for these protocols 
will be called iSpoPK resp. S'poCM- 

7.1 The Mult Protocol 

Description. All honest parties Pi know public values /cat = {ki\i^iq, pk, and 
encryptions a,b G Epk{a), for some possible unknown a,b G Rpk, and private 
values ski- Further more a set N' of participating parties, those that have not 
been caught deviating from the protocol, is known to all parties. The corrupted 
parties are controlled by an adversary and the parties want to compute a common 
value c G Epk{ab) without anyone learning anything new about a, b, or a ■ b. 

Implementation. 

1. First all participating parties additively secret share the value of a. 

(a) Pi, for i G N' chooses a value di uniformly at random in Rpk, computes 
an encryption di G- E{di), broadcasts it, and participates in POPK to 
check that each Pi knows and di such that di = Epk{di)[ri\. 

(b) Let N" denote parties completing the proof in (a) and let d = 

All parties compute d = and e = a ffl d. 

(c) The parties in N” call Decrypt to compute the value a + d from e. 

(d) The party in N" with smallest index sets of G- eBdi and Oi G- a + d—di. 

The other parties in N” set of ^ Bdi and Ui < di. 

2. Each party Pi for i G N" computes /j ^ □ b, broadcasts /j, and partic- 

ipates in POCM to check that all /j was computed correctly. Let X be the 
subset failing the proof and let N'" = N" \ X. 

3. The parties compute ax = HiexOi and decrypt it using Decrypt to obtain 

o-x = _ 

4. All parties compute c ^ {Bi^x'"fi) H {ax □ 6) G Epk{ab). 



In the following we present the case where n < 16k. 
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Theorem 1. There exists a simulator for the Mult protoeol, which produces a 
view in the ideal-world that is computationally indistinguishable from the view 
produced by an execution of the Mult protocol in the real-world. 

Proof outline: We give an outline of the main ideas used in the simulation. 
The main obstacle is Step El where a-\- d should be handed to the adversary to 
simulate an oracle call to the Decrypt oracle. By choosing di correctly for honest 
parties and using 5'popk the simulator can learn d, but it cannot learn a. We 
handle this by letting one of the honest party Pg choose dg as Blind(ifpfe((i^) B a) 
for uniformly random d'^ € Rpk- Then all values are still correctly distributed, 
but now the simulator can compute a + d as iJf,i£N"\{s} ^i) + ^s- Observe that 
the simulator now cannot compute the value Og which is necessary later. Doing 
the same computation on d'g it can however compute a'g = Og -\- a. Now assume 
that the simulator has access to an oracle returning an encryption if oi a ■ b. 
Then it simulates StepElby computing Os B6 as Blind((a^ B6) Be') and running 
'S'pocM- Step 0 is simulated by giving adversary (this value the 

simulator can compute as s ^ X) and Step Elis simulated by doing the correct 
computation as the necessary values are available. 

By the properties of the knowledge extractors and Blind it follows that the 
view produced as above is statistically indistinguishable from the view of a real- 
world execution. Now instead of the oracle value c' use a random encryption of 
Opfe . If this changes the view produced by the simulator except computationally 
negligible, then as the simulator does not use the secret keys of any honest party 
the simulator would be a distinguisher of encryptions of a • 6 and encryptions of 
Opk contradicting the semantic security of the encryption scheme. The technical 
report jCDlNOOj contains a detailed proof. □ 

As the Decrypt protocol is assumed to be secure under parallel composition 
and our multiparty zero-knowledge proofs have been proven to be secure, so are 
then trivially the Mult protocol. 



7.2 The FuncEvaly Protocol 

Now assume that the description of a arithmetic circuit for evaluating / is given. 
The parties then evaluate / in the following manner. First the parties run the 
Preprocess and the KD oracles and obtain the keys (fci, . . . , kn) for the trapdoor 
commitment scheme and (pk, sk \, . . . , s/c„) for the encryption scheme. The key 
ski is private to Pi. Each party Pi then does a bitwise encryption Xij •<— Ep]^{xij) 
of its input Xi, broadcasts the encryptions, and proves in zero-knowledge, that 
Xij does in fact contain either 0 or 10 For those Pi failing the above proof the 
parties exclude them, take Xi to be 000 . . . 00, and compute Xi^j ^ Epk{xi^j)[r] 
for some fixed agreed upon string r G {0, In this way all parties get to 

know common legal encrypted circuit inputs for all parties. Then the circuit is 
evaluated. In each round all gates that are ready to be evaluated are evaluated 

^ We will be needing a X'-protocol for doing this, but such protocol is easy to implement 
for the examples of threshold encryption that we give in Section 0 
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in parallel. Addition and subtraction gates are evaluated locally using ffl and 
B; and multiplication gates are evaluated using the Mult protocol. Finally the 
parties decrypt the output gates and output the reviled values. 

Theorem 2. The FuncEval/ protocol as described above securely evaluates f in 
the presence of active non-adaptive adversary corrupting at most a minority of 
the parties]^ The round complexity is in the order of the depth of the circuit for f 
and the communication complexity of the protocol is 0{{nk+d)\f\) bits, where |/| 
denotes the size of the circuit for evaluating f and d denotes the communication 
complexity of a decryption. 

Proof outline: Given a real-world adversary A we construct a simulator 5(A) 
running in the ideal-world. The initial oracle calls are simulated by running the 
generators locally and giving the appropriate values to A. The simulator saves 
{ki, . . . ,kn,pk,{ski\i^c) for later use, but discards ski for all honest parties. 
Assume for now that S has access to an oracle giving it the values Xij for all 
honest parties. The simulator then gives the Xij values to A and receive Xij for 
all corrupted parties from A. Using the knowledge extractor the simulator then 
learns all Xjj for corrupted parties that completed the proof that Xjj contains 
0 or 1. It uses these values as input to the ideal evaluation of / and learns 
the output y. Now the gate evaluation is simulated using the simulator for the 
Mult protocol. The decryption (by oracle call) of output gates are simulated 
by just handing the correct value to A. These values are known as the correct 
output y of the computation is known to the simulator. This simulation is by the 
properties of the knowledge extractors and the Mult simulator computationally 
indistinguishable from that of a real-world execution. We get rid of the oracle 
values Xij as we did in the proof of Theorem Q 

The round complexity follows by inspection. The gates that give rise to com- 
munication are the input, multiplication, and output gates. The communication 
used to handle these gates is in the order of n encryptions {0{nk) bits), n zero- 
knowledge proofs (0{nk) bits as we have assumed that the A-protocols have 
communication complexity 0{k)) and 1 decryption iO{d) bits by definition). 
The total communication complexity therefore is 0{{nk + d)\f\) as claimed. The 
technical report mNOOl contains a detailed proof. □ 

The threshold homomorphic encryption schemes we present in Section 0both 
have d = 0{kn). It follows that for deterministic / the FuncEval/ protocol based 
on any of these schemes has communication complexity 0{nk\f\) bits. 

8 Examples of Threshold Homomorphic Cryptosystems 

In this section, we describe some concrete examples of threshold systems meeting 
our requirements, including U-protocols for proving knowledge of plaintexts, 
correctness of multiplications and validity of decryptions. 

® Generally we can make the protocol secnre against any corruption strncture for 
which the threshold cryptosystem is secnre and for which one can generate short 
random challenges containing at least k random bits as in Section ln.11 
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Both our examples involve choosing as part of the public key a fc-bit RSA 
modulus N = pq, where p,q are chosen such that p = 2p' + l,q = 2q' + 1 for 
primes p'^q' and both p and q have k/2 bits. For convenience in the proofs to 
follow, we will assume that the length of the challenges in all the proofs is fc/2 — 1. 



8.1 Basing It on Paillier’s Cryptosystem 

In [IPaiDQj . Paillier proposes a probabilistic public-key cryptosystem where the 
public key is a fc-bit RSA modulus N and an element g € of order divisible 
by N. The plaintext space for this system is In p.TOIj the crypto-system 
is generalised to have plaintext space Z j\fs for any s smaller than the factors 
of N and there g has order divisible by N’’. To encrypt a G Zjv'*, one chooses 
r G Z^s+i at random and computes the ciphertext as a = g“r^ modiV®+^. 
The private key is the factorisation of TV, i.e., </>(JV) or equivalent information. 
Under an appropriate complexity assumption given in |Fai99j. this system is 
semantically secure, and it is trivially homomorphic over Zjys as we require 
here: we can set aSb — a-b mod Furthermore, from a and an encryption 

a, a random encryption of aa can be obtained by multiplying a“ mod by 

a random encryption of 0. In imnn a threshold version of this system has been 
proposed, based on a variant of Shoup’s |Sho()()| technique for threshold RSA. A 
multiplication protocol was also given in iTxnm . though for a slightly different 
setting. We will not go into further details here, but note that using known 
techniques the multiplication protocol can be modified to meet our definition 
of a threshold homomorphic encryption scheme. The technical report [K M )N()()j 
contains more details. 



Generalisations of FuncEval. Using standard techniques, the FuncEval-pro- 
tocol can be extended to handle probabilistic functions. In this section we de- 
scribe how this works when we instantiate using the Paillier cryptosystem. We 
show how random Zjv>-gates (outputting a uniformly random element from Z 
unknown to all parties) and random 0/1-gates (outputting a uniformly random 
element from {0_1} unknown to all parties) can be implemented securely in a 
constant number of rounds. 

As a step-stone we also recall how to implement inversion gates and do un- 
bounded fan-in multiplication of invertible elements in a constant number of 
rounds (see |BB89| 1. Due to lack of space only the protocols are given, but they 
can all be proven secure using the techniques of the previous sections. 

In the following, if n > 16fc, let the random group denote the 4fc-subset A 
given in the preprocessing and if n < 16fc let the random group be all the 
parties. Assume that the parties in the random group are indexed 1, . . . , r(n, k). 
Observe that r(n,k) G 0(min(n, fc)) and that except with negligible probability 
the random group contains a honest party. 

Random Z i^s -gates. All the parties in the random group pick a uniformly ran- 
dom element G Zm‘, broadcast an encryption of, and prove knowledge of a^. 
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Then all the parties compute a — and a is the secret uniformly random 

^Afs-element. The communication complexity is 0(r(n,k)k). 

Inversion gates. Given a, where a is invertible, the parties generates b using 
a random Zf^B-gaie. Since b is invertible except with negligible probability, we 
assume in the following that it is. The parties compute ab and reveals ab (this is 
secure since ab is a uniformly random invertible element). The parties computes 
{ab)~^ and a~^ = {ab)~^ □ 5. The communication complexity is 0{nk). 



Constant-round unbounded fan-in multiplication of invertible elements. Given 
encryptions aff, ■ • ■ ,xi of invertible elements the parties generate secret ran- 
dom Z' ATS -elements yd,. . ■ ,yi, compute yQ^,. . . ,y^^, and compute and reveal 

Zi = y^-ix^y~^,i = 1, . . . , /. Then they compute HLi = % ^(OLi The 
communication complexity of this is 0(lnk). 



Random 0/1-gates. Each party in the random group generates a random bit 
6,;, publishes bi, proves knowledge of bi C {0, 1}, and all the parties compute 



b = 






□ 2 ^ . The communication complexity of this is 



0{r{n, k)nk). 



8.2 Basing It on QRA and DDH 

In this section, we describe a cryptosystem which is a simplified variant of 
Franklin and Haber’s system (EEESl, a somewhat similar (but non-threshold) 
variant was suggested by one the authors of the present paper and appears in 

|EBES|. 

For this system, we choose an RSA modulus N = pq, where p, q are chosen 
such that p = 2p' -d l,q = 2g' -|- 1 for primes p',q'. We also choose a random 
generator g of SQ{N), the subgroup of quadratic residues modulo N (which here 
has order p'q'). We finally choose x at random modulo p'q' and let h = g^ mod N. 
The public key is now N,g^h while x is the secret key. 

The plaintext space of this system is Z 2 . We set A = n\ (recall that n is the 
number of parties). Then to encrypt a bit 6, one chooses at random r modulo 
N'^ and a bit c and computes the ciphertext 

((-l)VmodA, 

The purpose of choosing r modulo is to make sure that g'’ will be close to 
uniform in the group generated by g even though the order of g is not public. 
It is clear that a ciphertext can be decrypted if one knows x. The purpose of 
having lA^ ’’ (and not K^) in the ciphertext will be explained below. 

The system clearly has the required homomorphic properties, we can set: 



(a, (}) ffl (7, i5) = (ay mod IV, (38 mod N) 
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Finally, from an encryption (a, j3) of a value a and a known 6, one can obtain 
a random encryption of value ba mod 2 by first setting (7, to be a random 
encryption of 0 and then outputting (0^7 mod N, (3^6 mod N) . 

We now argue that under the Quadratic Residuosity Assumption (QRA) and 
the Decisional Difhe Heilman Assumption (DDH), the system is semantically 
secure. Recall that DDH says that the distributions {g,h,g'^ mod p,h'^ mod p) 
and (p, h, g'' mod p, /i® mod p) are indistinguishable, where g, h both generate 
the subgroup of order p' in Z* and r, s are independent and random in Zpi . 
By the Chinese remainder theorem, this is easily seen to imply that also the 
distributions (p, h, g^ mod N, mod N) and (5, h, g'' mod fV, h® mod N) are in- 
distinguishable, where p, h both generate SQ{N) and r, s are independent and 
random in Zp'q/. Omitting some tedious details, we can then conclude that the 
distributions 

{g, h, (-1) V mod N, mod N) 

(5, h, (-1)"/ mod N, mod N) 

{g, h, (-1) V mod N, mod N) 

{g, h, (-1) V mod TV, mod N) 

are indistinguishable, using (in that order) DDH, QRA and DDH. 



Threshold Decryption. Shoup’s method for threshold RSA [ShoOOj can be 
directly applied here: he shows that if one secret-shares x among the parties 
using a polynomial computed modulo p' g' and publishes some extra verification 
information, then the parties can jointly and securely raise an input number 
to the power dA’^x. This is clearly sufficient to decrypt a ciphertext as defined 
here: to decrypt the pair (a, 6), compute ba~^^ ^ mod TV. We do not describe 
the details here, as the protocol from can be used directly. We only note 

that decryption can be done by having each party broadcast a single message 
and prove by a A-protocol that it is correct. The communication complexity 
of this is 0{nk) bits. In the original protocol the random oracle model is used 
when parties prove that they behave correctly. However, the proofs can instead 
be done according to our method for multiparty A-protocols without loss of 
efficiency (Section E) . This also immediately implies a protocol that will decrypt 
several ciphertexts in parallel. 



Proving You Know a Plaintext. We will need an efficient way for a party 
to prove in zero-knowledge that a pair (a,/?) he created is a legal ciphertext, 
and that he knows the corresponding plaintext. A pair is valid if and only if a, (3 
both have Jacobi symbol 1 (which can be checked easily) and if for some r we 
have (g^Y = o? mod TV and (Ti®"^ )’’ = 0^ mod TV. This last pair of statements 
can be proved non-interactively and efficiently by a standard equality of discrete 
log proof appearing in fMo! - Note that the squarings of a, [3 ensure that we 
are working in SQ{N), which is necessary to ensure soundness. 
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This protocol has the standard 3-move form of a if-protocol. It proves that 
an r fitting with a, (3 exists. But it does not prove that the prover knows such 
an r (and hence knows the plaintext), unless we are willing to also assume the 
strong RSA assumptioifl. With this assumption, on the other hand, the equality 
of discrete log proof is indeed a proof of knowledge. 

However, it is possible to do without this extra assumption: observe that if 
(3 was correctly constructed, then the prover knows a square root of (3 (namely 
h 2 A r iff 5 = 0 and he knows a root of — /3 otherwise. One way to 

exploit this observation is if we have a commitment scheme available that allows 
committing to elements in .Z^y. Then Pi can commit to his root a, and prove 
in zero- knowledge that he knows a and that o'* = mod N. This would be 
sufficient since it then follows that is j3 or —(3. 

Here is a commitment scheme (already well known) for which this can be 
done efficiently: choose a prime P, such that N divides P — 1 and choose el- 
ements G, H of order N modulo P, but where no party knows the discrete 
logarithm of H base G. This can all be set up initially (recall that we already 
assume that keys are set up once and for all) . Then a commitment to a has form 
{G^ mod P, G°‘H'^ mod P), and is opened by revealing a, r. It is easy to see that 
this scheme is unconditionally binding, and is hiding under the DDH assump- 
tion (which we already assumed). Let [a] denote a commitment to a and let 
[a] [(3\ mod P be the commitment you obtain in the natural way by component- 
wise multiplication modulo P. It is then clear that [q\[(3\ mod P is a commitment 
to a + (3 mod N. 

It will be sufficient for our purposes to make a A-protocol that takes as 
input commitments [a], [/3], [7], shows that the prover knows a and shows that 
0/3 = 7 iiiod N. Here follows such a protocol: 

1. Inputs are commitments [a], [/3], [7] where Pi claims that a/3 = 7 mod N . Pi 
chooses a random 5 and makes commitments [J], [5(3\. 

2. The verifier send a random e. 

3. Pi opens the commitment [a]®[<5] mod P to reveal a value ei. Pi opens the 
commitment [/3]®“^ [(5/3]“^[7]“® mod P to reveal 0. 

4. The verifier accepts iff the commitments are correctly opened as required. 

Using standard techniques, it is straightforward to show that this protocol is 
a U-protocol. The technical report |CDN00j contains more details. 



Proving Multiplications Correct. Finally, we need to consider the scenario 
where party Pi has been given an encryption Ga of o, has chosen a constant 
b, and has published encryptions Gb, D, of values b, ba, and where D has been 
constructed by Pi as we described above. It follows from this construction that 
if & = 1, then P = CofflP where P is a random encryption of 0. Assuming 5 = 1, 
E can be easily reconstructed from D and Cq. 

® That is, assume that it is hard to invert the RSA encryption function, even if the 
adversary is allowed to choose the public exponent 
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Now we want a i7-protocol that Pi can use to prove that D contains the 
correct value. Observe that this is equivalent to the statement 

((Cb encrypts 0) AND {D encrypts 0)) OR 
{{Cb encrypts 1) AND {E encrypts 0)) 

We have already seen how to prove by a 17-protocol that an encryption (a, (3) 
contains a value 6, by proving that you know a square root of (—1)^/3. Now, 
standard techniques from can be applied to building a new N'-protocol 

proving a monotone logical combination of statements such as we have here. 

9 An Optimisation of the FuncEval Protocol 

The following optimisation of the FuncEval-protocol was brought to our atten- 
tion by an anonymous referee. The optimisation applies to the situation where 
at most (i — c)n parties, for some c > 0, can be corrupted and n is larger than 
k. In that case we can use the random group for doing the entire computation. 
The decryption keys for the threshold cryptosystem are distributed only to the 
random group and all parties are given the public key. All parties then broadcast 
encryptions of their inputs as before. Then the parties in the random group do 
the actual computation and broadcast the result. The communication complex- 
ity of this is 0{k‘^\C\) as the initial broadcast of inputs are dominated by the 
computation. This is better than 0{kn\C\) li n > k. The same optimisation ap- 
plies to any MFC protocol by letting the parties secret share their input among 
the random group initially. This typically reduces a complexity of 0{k‘^n^\C\) 
to 0(fc^+'=|C'|). Finally k<^+^ can be replaced by k to obtain a communication 
complexity of 0{k\C\) using the weakly security preserving reduction of Footnote 
01 Note that the last part of the transformation has no practical value, it is a 
property of the security model allowing to sell security for cuts in complexity. 
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Abstract. We consider the question of adaptive security for two re- 
lated cryptographic primitives: all-or-nothing transforms and exposure- 
resilient functions. Both are concerned with retaining security when an 
intruder learns some bits of a string which is supposed to be secret: 
all-or-nothing transforms (AONT) protect their input even given partial 
knowledge of the output; exposure-resilient functions (ERF) hide their 
output even given partial exposure of their input. Both of these prim- 
itives can be defined in the perfect, statistical and computational set- 
tings and have a variety of applications in cryptography. In this paper, 
we study how these notions fare against adaptive adversaries, who may 
choose which positions of a secret string to observe on the fly. 

In the perfect setting, we prove a new, strong lower bound on the con- 
structibility of (perfect) AONT. This applies to both standard and adap- 
tively secure AONT. In particular, to hide an input as short as logn 
bits, the adversary must see no more than half of the n-bit output. This 
bound also provides a new impossibility result on the existence of (ramp) 
secret-sharing schemes [6] and relates to a combinatorial problem of in- 
dependent interest: finding “balanced” colorings of the hypercube. 

In the statistical setting, we show that adaptivity adds strictly more 
power to the adversary. We relate and reduce the construction of adap- 
tive ERF’s to that of almost-perfect resilient functions [19], for which 
the adversary can actually set some of the input positions and still 
learn nothing about the output. We give a probabilistic construction of 
these functions which is essentially optimal and substantially improves 
on previous constructions of [19,5]. As a result, we get nearly optimal 
adaptively secure ERF’s and AONT’s. Finally, extending the statistical 
construction we obtain optimal computational adaptive ERF’s, “public- 
value” AONT’s and resilient functions. 



1 Introduction 

Recently, there has been an explosion of work |A3f)ii(M)iiHi/nEnin| surround- 
ing an intriguing notion introduced by Rivest called the All-Or-Nothing Trans- 
form (AONT) |23|- Roughly speaking, an AONT is a randomized mapping which 
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can be efficiently inverted if given the output in full, but which leaks no informa- 
tion about its input to an adversary even if the adversary obtains almost all the 
bits of the output. The AONT has been shown to have important cryptographic 
applications ranging from increasing the efficiency of block ciphers |2ni1 8l7j to 
protecting against almost complete exposure of secret keys M- The first formal- 
ization and constructions for the AONT were given by Boyko P| in the Random- 
Oracle model. However, recently Canetti et al. uni were able to formalize and ex- 
hibit efficient constructions for the AONT in the standard computational model. 
They accomplished this goal by reducing the task of constructing AONT’s to 
constructing a related primitive which they called an Exposure-Resilient Func- 
tion (ERF) mg. An ERF is a deterministic function whose output looks random 
to an adversary even if the adversary obtains almost all the bits of the input. A 
salient feature of the work of nm is the fact that they were able to achieve good 
results for the computational (and most cryptographically applicable) versions 
of these notions by first focusing on the perfect and statistical forms of AONT’s 
and ERF’s. 



1.1 Background 

We first recall informally the definitions of the two main notions we examine in 
this paper. An £-AONT fe, ■^1)11 01 is an efficiently computable and invertible ran- 
domized transformation T, which transforms any string x into a pair of strings 
(t/s, 2/p), respectively called the secret and the public part of T. While the inverta- 
bility of T allows to reconstruct x from the entire T{x) = iys,yp), we require that 
any adversary learning all of Up and all but i bits of Ps obtains “no information” 
about X. 

On the other hand, an £-ERF HOI is an efficiently computable deterministic 
function / on strings such that even if an adversary learns all but i bits of 
a randomly chosen input r, it still cannot distinguish the output /(r) from a 
random string. As usual, we can define perfect, statistical, and computational 
versions of these notions. It is easy to see that in the perfect or statistical settings, 
the length of the output of an OERF can be at most i; whereas for perfect 
or statistical OAONT’s, the length of the input is at most £. To beat these 
trivial bounds, one must examine the computational forms of ERF’s and AONT’s. 
Indeed, if we are given a pseudorandom generator, it is easy to see that by 
applying the generator to the output of a perfect or statistical ERF, we can 
obtain ERF’s with arbitrary (polynomial) output size. 

Canetti et al. [lOj showed that the following simple construction suffices to 
construct AONT’s from ERF’s. Given an ^-ERF / mapping {0,1}” to {0,1}^, 
we construct an GAO NT T transforming k bits to n bits of secret output and 
k bits of public output: T{x) = (r, /(r) © x). Intuitively, if at least £ bits of r 
are missed, then /(r) “looks” random. Hence /(r) © x also looks random, thus 
hiding all information about the input x. 

Applications. The All-Or-Nothing Transform and its variants have been ap- 
plied to a variety of problems. In the perfect setting, it is a special case of a ramp 
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scheme pj , useful for sharing secrets efficiently. Its statistical variant can be used 
to provide secure communication over the “wire-tap channel II” , a partly public 
channel where the adversary can observe almost all the bits communicated (but 
the sender and the receiver do not know which) E2EI- In the computational 
setting, it also has many uses. Rivest and later Desai d, use it to enhance 
the security of block ciphers against brute-force key search. Matyas et al. m 
propose to use AO NT to increase the efficiency of block ciphers: rather than en- 
crypt all blocks of the message, apply an AONT to the message and encrypt only 
one or very few blocks. The same idea is used in various forms by Jackobson et 
al. d and Blaze Q to speed up remotely-keyed encryption. Similarly, it can 
be combined with authentication to yield a novel encryption technique f7W\ 
Several other applications have been suggested by . 

Another class of applications for (computational) AONT’s was suggested by 
Canetti et al. m- They considered a situation where one of our most basic 
cryptographic assumptions breaks down — the secrecy of a key can become par- 
tially compromised (a problem called partial key exposure). point out that 
most standard cryptographic definitions do not guarantee (and often violate) 
security once even a small portion of the key has been exposed. The AONT of- 
fers a solution to this problem. Namely, rather than store a secret key x, one 
stores y = T(x) instead. Now the adversary gets no information about the secret 
key even if he manages to get all but ^ bits of y. The problem of gradual key 
exposure is also raised by HQl. where information about a (random) private key 
is slowly but steadily leaked to an adversary. In this situation, the private key 
can be “renewed” using an ERF to protect it against discovery by the adversary, 
while additionally providing forward security when the “current” key is totally 
compromised. 

1.2 Adaptive Security 

In many of the applications above, the question of adaptive security arises nat- 
urally. For example, in the problem of partial key exposure, it is natural to 
consider an adversary that is able to first gain access to some fraction of the bits 
of the secret, and then decides which bits to obtain next as a function of the bits 
the adversary has already seen. 

Perfect AONT’s and Adaptive Security. In the definition of a perfect 
£-AONT, we demand that any subset of all but £ bits of the output must be 
completely independent of the input xQ In this case, it is trivial to observe 
that there is no difference between adaptive and non-adaptive security. Hence, 
if we could construct good perfect AONT’s, this would also solve the problem of 
constructing adaptively secure AONT’s. 

Consider .^-AONT’s that transform k bits to n bits. pH! show how to construct 
perfect CAONT’s where £ = n(^ + e) for any e > 0 (at the expense of smaller 
k = C(n)), but were unable to construct perfect AONT’s with £ < nj2 (i.e. 
perfect AONT’s where the adversary could learn more than half of the output). 

In the perfect setting, public output is not needed (e.g., can be fixed a-priori). 
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Perfect AONT’s — Our Contribution. In our work, we show that un- 
fortunately this limitation is inherent. More precisely, whenever n < 2^, the 
adversary must miss at least half of the output in order not to learn anything 
about the input. We prove this bound by translating the question of constructing 
perfect ^-AONT’s to the question of finding “£-balanced” weighted colorings of 
the hypercuhe, which is of independent combinatorial interest. Namely, we want 
to color and weight the nodes of the n-dimensional hypercube T-L = {0, 1}" using 
c = 2^ colors, such that every ^-dimensional subcube of T~L is “equi-colored” (i.e. 
has the same total weight for each of the c colors). We prove our result by non- 
trivially extending the beautiful lower bound argument of Friedman IT^ (which 
only worked for unweighted colorings) to our setting. Our bound also gives a 
new bound on ramp secret sharing schemes jOj. In such schemes one divides the 
secret of size k into n schares such that there are two thresholds t and {t — t) 
such that any t shares suffice to reconstruct the secret but no {t — £) shares yield 
any information. To our knowledge, the best known bound for ramp schemes 
fwm was i > k. Our results imply a much stronger bound of £ > </2 (when 
each share is a bit; over larger alphabets of size q we get £ > t/q). 

Therefore, we show that despite their very attractive perfect security, perfect 
AONT’s are of limited use in most situations, and do not offer a compelling way 
to achieve adaptive security. 

Statistical ERF’s and Adaptive Security. The definition of a perfect £- 
ERF (mapping n bits to k bits) states that the output, when considered jointly 
with any subset of (n — £) bits of the input, must be truly uniform. In this case, 
clearly once again adaptive and non-adaptive security collapse into one notion. 
The definition of a (non-adaptive) statistical £-ERF, however, allows for the the 
joint distribution above to be merely close to uniform. In this case, the non- 
adaptive statistical definition does not imply adaptive security, and in particular 
the construction given in m of statistical ERF’s fails to achieve adaptive secu- 
rity0 Intuitively, it could be that a small subset of the input bits S\ determines 
some non-trivial boolean relation of another small subset of the input bits S 2 
with the output of the function (e.g., for a fixed value of the bits in Si, one 
output bit might depend only on bits in S' 2 ). In the adaptive setting, reading Si 
and then S 2 would break an ERF. In the non-adaptive setting, however, any fixed 
subset of the input bits is very unlikely to contain S'! U S' 2 - (A similar discussion 
applies to AONT’s.) In other words, statistical constructions of UDI were able to 
produce statistical AERF’s (and AAONT’s) with nearly optimal £ = k + o{k), but 
failed to achieve adaptive security, while perfect ERF’s achieve adaptive security, 
but are limitted to £ > n/2 [r?i| . 

Statistical ERF’s — Our Contribution. Thus, we seek to identify notions 
lying somewhere in between perfect and statistical (non-adaptive) ERF’s that 
would allow us to construct adaptively secure ERF’s (and AONT’s), and yet 
achieve better parameters than those achievable by perfect ERF’s (and AONT’s). 
In this task, we make use of resilient functions (RF’s). These were first defined 



^ For more details, see Section \‘2.‘2l 
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in the perfect setting by Vazirani m and first studied by Chor et al. m and 
independently by Bennett et al. P|. An £-RF is identical to an £-ERF except that 
the adversary, instead of merely observing certain bits of the input, gets to set 
all but £ bits of the input0 Note that the notions of ERF and RF are the same 
when considered in the perfect setting. A statistical variant of resilient functions 
(no longer equivalent to ERF’s) was first considered by Kurosawa et al. who 
also gave explicit constructions of such functions (improved by |^ ) . 

We show that the strong notion of statistical RF’s introduced by Kurosawa 
et al. m suffices to construct adaptively secure ERF’s (and AONT’s). While 
the construction of Kurosawa et al. m already slightly beats the lower bound 
for perfect ERF’s, it is very far from the trivial lower bound of i > k (in fact, 
it is still limited to £ > n/2). We present an efficient probabilistic construction 
of such “almost-perfect” RF’s achieving optimal £ = k + o{k). While not fully 
deterministic, our construction has to be run only once and for all, after which 
the resulting efficient function is “good” with probability exponentially close to 
1, and can be deterministically used in all the subsequent applications. As a 
result of this construction and its relation to adaptive ERF’s and AONT’s, we 
achieve essentially optimal security parameters for adaptive security by focusing 
on a stronger notion of almost-perfect RF’s. 

We also take the opportunity to study several variants of statistical RF’s 
and (static/adaptive) ERF’s, and give a complete classification of these notions, 
which may be of additional, independent interest. 

Computational Setting. As we pointed out, P33 used their statistical (non- 
adaptive) constructions to get ERF’s and AONT’s in the computational setting. 
We show that the same techniques work with our adaptive definitions. Coupled 
with our statistical constructions, we get nearly optimal computational construc- 
tions as well. 

Larger alphabets. To simplify the presentation and the discussion of the 
results in this paper, as well as to relate them more closely with the previous 
work, we restrict ourselves to discussing exposure-resilient primitives over the 
alphabet {0,1}. However, all our notions and results can be easily generalized 
to larger alphabets. 



1.3 Organization 

In Section 13 we define the central objects of study in our paper, and review 
some of the relevant previous work of cni. In Section 0 we study perfect AONT’s, 
relate them to hypecube colorings and prove the strong lower bound on £ (show- 
ing the limitations of perfect AONT’s). Finally, in Section 0 we study variants 
of statistical ERF’s will allow us to achieve adaptive security. We show that 
“almost-rerfect” RF’s of m achieve this goal, and exhibit a simple and almost 
optimal (probabilistic) construction of such functions. In particular, we show 

® In much of the literature about resilient functions, such a function would be called 
an (n — ^)-resilient function. We adopt our notation for consistency. 
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the existence of adaptively secure AO NT’s and ERF’s with essentially optimal 
parameters. 



2 Preliminaries 

Let {’^} denote the set of size-£ subsets of [n] = For L G {"}, y G 

{0, 1}", let [y]i denote y restricted to its (n — i) bits not in L. We say a function 
e(n) is negligible (denoted by e = negl{n)) if for every constant c, e(n) = O (;^). 
We denote an algorithm A which has oracle access to some string y (i.e., can 
query individual bits of y) by . 



2.1 Definitions for Non-adaptive Adversaries 

For static adversaries, the definitions of AONT and ERF can be stated quite effi- 
ciently in terms of perfect, statistical or computational indistinguishability (see 
jl 6|L For consistency we have also provided a definition of RF (where adaptivity 
does not make sense, and hence the adversary can be seen as “static”). 

Note that for full generality, we follow the suggestion of uni and allow the 
all-or-nothing transform to have two outputs: a public part which we assume the 
adversary always sees; and a secret part, of which the adversary misses i bits. 

Definition 1. A polynomial-time randomized transformation T : {0, 1}^ — > 
{0, 1}® X {0, 1}^ is an £-AONT (all-or-nothing transform) if 

1. T is polynomial-time invertible, i.e. there exists efficient I such that for any 
X G {0, 1}^ and any y = (j/i,?/ 2 ) G T{x), we have I{y) = x. We call yi is the 
secret part and y 2 , the public part ofT. 

2. For any L G {®},a;o,a:i G {0,1}'= .• {xq,Xi,[T{xo)]i) ps {xq,Xi,[T{xi)]i'^ 
Here ~ can refer to perfect, statistical or computational indistinguishability. 

If p = 0, the resulting AONT is called secret-only. 



Definition 2. A polynomial time function f : {0, 1}" — >■ {0, 1}^ is an £-ERF 
(exposure-resilient function) if for any L G {^} and for a randomly chosen 
r G {0,1}", R G {0,1}'=, we have: {[r]i,f{r)) pz {[r]i,R). 

Here ~ can refer to perfect, statistical or computational indistinguishability. 

Definition 3. A polynomial time function f : {0, 1}" — )> {0, 1}^= is £-RF (re- 
silient function) if for any L G {"}, for any assignment w G {0,1}"“^ to the 
positions not in L, for a randomly chosen r G {0, 1}" subject to [r]i = w and 
random R G {0, 1}^=, we have: {f{r) \ [r]^ = w) ~ (R) . 

Here ~ ean refer to perfect, statistical or computational indistinguishability. 

Notice, for L G {^} we have notationally that [(j/i,J/ 2 )]l = i[yi]l^y 2 ). 
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As an obvious note, a £-RF is also a static £-ERF (as we shall see, this will no 
longer hold for adaptive ERF; see Lemma 0 . 

Perfect primitives. It is clear that perfect ERF are the same as perfect 
RF. Additionally, perfect AONT’s are easy to construct from perfect ERF’s. In 
particular one could use the simple one-time pad construction of lEj: T{x) = 
(■'’) /(■'’) ® where r is the secret part of the AONT. However, we observe that 
(ignoring the issue of efficiency) there is no need for the public part in the perfect 
AONT (i.e., we can fix it to any valid setting y2 and consider the restriction of the 
AONT where the public part is always j/2)- Setting ?/2 = 0 in the one-time pad 
construction implies an AONT where we output a random r subject to /(r) = x. 
Thus, in the perfect setting the “inverse” of an .£-ERF is an £-AONT, and we get: 

Lemma 1. (Ignoring issues of efficiency) A perfect .^-ERF / : {0, 1}" — >■ {0, 1}^ 
implies the existence of a perfect (secret-only) £-AONT T : {0, 1}^ — >■ {0, 1}". 

While the reduction above does not work with statistical ERF (to produce 
statistical AONT), we will show that it works with a stronger notion of almost- 
perfect RF (to produce statistical AONT). See Lemmad 



2.2 Definitions for Adaptive Adversaries 

Adaptively Secure AONT. In the ordinary AONT’s the adversary has to 
“decide in advance” which (s — i) bits of the (secret part of) the output it is 
going to observe. This is captured by requiring the security for all fixed sets L 
of cardinality i. While interesting and non-trivial to achieve, in many applica- 
tions (e.g. partial key exposure, secret sharing, protecting against exhaustive 
key search, etc.) the adversary potentially has the power to choose which bits to 
observe adaptively. For example, at the very least it is natural to assume that 
the adversary could decide which bits of the secret part to observe after it learns 
the public part. Unfortunately, the constructions of nm do not even achieve this 
minimal adaptive security, invalidating their claim that “public part requires no 
protection and can be given away for free” . More generally, the choice of which 
bit(s) to observe next may partially depend on which bits the adversary has 
already seen. Taken to the most extreme, we can allow the adaptive adversary 
to read the bits of the secret part “one-bit-at-a-time” , as long as he misses at 
least i of them. 

Definition 4. A polynomial time randomized transformation T : {0, 1}^ — ^ 
{0,1}® X {0, l}^’ is a (perfect, statistical or computational) adaptive £-AONT 
(adaptive all-or-nothing transform) if 

1. T is efficiently invertible, i.e. there is a polynomial time machine I such that 
for any x G {0, 1}^ and any y = (j/ 1 , 2 / 2 ) G T(x), we have I{y) = x. 

2. For any adversary A who has oracle access to string y = (ys,yp) and is 

required not to read at least £ bits of ys, and for any xq,X\ G {0,1}^, we 
have: |Pr(A^(’’’“)(a;o, xi) = 1) — Pr(A^(®’i)(xo, Xi) = 1)| < e, where 
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— In the perfect setting e = 0. 

— In the statistical setting e = negl{s + p). 

— In the computational setting e = negl(s + p) for any PPT A. 

We stress that the adversary can base its queries on xq, xi, the public part of 
the output, as well as those parts of the secret output that it has seen so far. We 
also remark that in the perfect setting this definition is equivalent to that of an 
ordinary perfect .£-AONT. Thus, adaptivity does not help the adversary in the 
perfect setting (because the definition of a perfect AONT is by itself very strong!). 
In particular, good perfect AONT’s are good adaptive AONT’s. Unfortunately, 
we will later show that very good perfect AONT’s do not exist. 

Adaptively Secure ERF. In the original definition of ERF ina, the adversary 
has to “decide in advance” which {n — tj input bits it is going to observe. This is 
captured by requiring the security for all fixed sets L of cardinality £. However, in 
many situations (e.g., the problem of gradual key exposure m), the adversary 
has more power. Namely, it can decide which (n — £) bits of the secret to learn 
adaptively based on the information that it has learned so far. In the most 
extreme case, the adversary would decide which bits to observe “one-bit-at-a- 
time” . Unfortunately, the definition and the construction of m do not satisfy 
this notion. 

There is one more particularity of adaptive security for ERF’s. Namely, in 
some applications (like the construction of AONT’s using ERF’s fH]) the adver- 
sary might observe some partial information about the secret output of the ERF, 
/(r), before it starts to compromise the input r. Is it acceptable in this case that 
the adversary can learn more partial information about /(r) than he already 
has? For example, assume we use f(r) as a stream cipher and the adversary 
learns the first few bits of /(r) before it chooses which (n — €) bits of r to read. 
Ideally, we will not want the adversary to be able to learn some information 
about the remaining bits of f(r) — the ones that would be used in the stream 
cipher in the future. Taken to the extreme, even if the adversary sees either the 
entire f(r) (i.e., has complete information on /(r)), or a random R, and only 
then decides which (n — i) bits of r to read, it cannot distinguish the above two 
cases. 

As we argued, we believe that a good notion of adaptive ERF should satisfy 
both of the properties above, which leads us to the following notion. 

Definition 5. A polynomial time function f : {0, 1}” — >■ {0, 1}^ is a (perfect, 
statistical or computational) adaptive £-ERF (adaptive exposure-resilient func- 
tion) if for any adversary A who has access to a string r and is required not to 
read at least I bits of r, when r is chosen at random from {0, 1}" and R is cho- 
sen at random from {0, 1}^, we have: |Pr(^”(/(r)) = 1) — Pr(^”(i?) = 1)| < e, 
where 

— In the perfect setting e = 0. 

— In the statistical setting e = neglfn). 

— In the computational setting e = negl{n) for any PPT A. 
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Notice that in the perfect setting this definition is equivalent to that of an 
ordinary (static) perfect ^-ERF, since for any L, the values [r]i and /(r) are 
uniform and independent. In the statistical setting, the notions are no longer 
equivalent: indeed, the original constructions of m fail dramatically under an 
adaptive attack. We briefly mention the reason. They used so-called randomness 
extractors in their construction of statistical ERF’s (see uni for the definitions). 
Such extractors use a small number of truly random bits d to extract all the 
randomness from any “reasonable” distribution X. However, it is crucial that 
this randomness d is chosen independently from and after the distribution X 
is specified. In their construction d was part of the input r, and reading upto 
{n — t) of the remaining bits of r defined the distribution X that they extracted 
randomness from. Unfortunately, an adaptive adversary can first read d, and 
only then determine which other bits of r to read. This alters X depending on d, 
and the notion of an extractor does not work in such a scenario. In fact, tracing 
the particular extractors that they use, learning d first indeed allows an adaptive 
adversary to break the resulting static ERF. 

Also notice that once we have good adaptive statistical ERF’s, adaptive com- 
putational ERF’s will be easy to construct in same same way as with regular 
ERF simply apply a good pseudorandom generator to the output of an 
adaptive statistical ERF. Finally, we notice that the generic one-time pad con- 
struction of ma of AONT’s from ERF’s extends to the adaptive setting, as long as 
we use the strong adaptive definition of ERF given above. Namely, the challenge 
has to be given first, since the adversary for the AO NT may choose which bits 
of the secret part r to read when having already read the entire public part — 
either /(r) © xq or f(r) © xi (for known xq and xi!). Thus, we get 

Lemma 2. Iff : {0, 1}"— >-{0, 1}^ is an adaptive £-ERF , thenT{x) = (r, x©/(r)) 
is an adaptive .^-AONT with seeret part r and public part x © /(r). 



3 Lower Bound on Perfect AONT 



In this section we study perfect AONT’s. We show that there exists a strong 
limitation in constructing perfect AONT’s: the adversary must miss at least half 
of the n-bit output, even if the input size k is as small as log n. Recall that perfect 
AONT’s are more general than perfect ERF’s (Lemma [Q, and thus our bound 
non-trivially generalizes the lower bound of Friedman |I5 (see also another proof 
byH) on perfect ERF. As we will see, the proof will follow from the impossibility 
of certain weighted “balanced” colorings of an n-dimensional hypercube, which 
is of independent interest. 



Theorem 1. If T ■. {0, 1}'= ^ {0, 1}” is a 

2^-^ -I _n 
2 ^ - 1 “ 2 



£> 1 + n ■ 



perfect (secret-only) £-AONT, then 
~ 2 ( 2 '= - 1 )) 



In particular, for n <2^ we get £> ^ , so at least half of the output of T has to 
remain secret even if T exponentially expands its input! Moreover, the equality 
can be achieved only by AONT’s constructed from ERF’s via LemmaQl 
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3.1 Balanced Colorings of the Hypercube 

A coloring of the n-dimensional hypercube Ti — {0, 1}" with c colors is any map 
which associates a color from {1, . . . , c} to each node in the graph. In a weighted 
coloring, each node y is also assigned a non-negative real weight xiu)- We will 
often call the nodes of weight 0 uncolored, despite them having an assigned 
nominal color. For each color i, we define the weight vector \i of this color by 
assigning Xiiv) = xiv) if V has color i, and 0 otherwise. We notice that for any 
given y G H, Xiiu) > 0 for at most one color i, and also = X- ^ coloring 

where all the nodes are uncolored is called empty. Since we will never talk about 
such colorings, we will assume that J^y^nXiv) = 1- A uniform coloring has all 
the weights equal: xiv) = 2“" for all y. 

An £-dimensional subcube T-Lh.a of the hypercube is given by a set of £ “free” 
positions L G {"} and an assignment a G {0, 1}"“^ to the remaining positions, 
and contains the resulting 2^ nodes of the hypercube consistent with a. 

Definition 6. We say a weighted coloring of the hypercube is £-balanced if, 
within every subcube of dimension £, each color has the same weight. That is, 
for each L and a, a Xi{y) same for all colors i. 

Notice, f-balanced coloring is also t"-balanced for any £' > £, since an £' di- 
mensional subcube is the disjoint union of Adimensional ones. We study balanced 
colorings since they exactly capture the combinatorial properties of f-AONT’s 
and f-ERF’s. We get the following equivalences. 

Lemma 3. Ignoring efficiency, the following equivalences hold in the perfect 
setting: 

1. £-/KOHT ’s from k ton bits weighted £-balanced colorings of n-dimensional 
hypercube with 2^ colors. 

2. £-ERF’s from n to k bits uniform £-balanced colorings of n- dimensional 
hypercube with 2^ colors. 

Proof Sketch. For the first equivalence, the color of node y G TL corresponds to 
the value if the inverse map I{y), and its weight corresponds to Pi'x,t{T{x) = y). 
For the second equivalence, the color of node y G H is simply f{y). □ 

Notice, the lemma above also gives more insight into why perfect AONT’s are 
more general than perfect ERF’s (and an alternative proof of Lemma[U). We now 
restate our lower bound on perfect AONT’s in Theorem Q] in terms of weighted 
^-balanced colorings of TL with c = 2^ colors (proving it for general c). 

Theorem 2. Any (non-empty) £-balancedweighted coloring of then-dimensional 
hypercube using c colors must have £> f + — 2 (c-i ) ) ■ Moreover, equality can 

hold only if the coloring is uniform and no two adjacent nodes of positive weight 
have the same color. 

We believe that the theorem above is interesting in its own right. It says that 
once the number of colors is at least 3, it is impossible to find a c-coloring (even 
weighted!) of the hypercube such that all Adimensional subcubes are “equi- 
colored”, unless £ is very large (linear in n). 
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3.2 Proof of the Lower Bound (Theorem 2) 

In our proof of Theorem |2 we will consider the 2”-dimensional vector space 
V consisting of real-valued (not boolean!) vectors with positions indexed by 
the strings in TL, and we will use facts about the Fourier decomposition of the 
hypercube. 

Fourier Decomposition of the Hypercube. Like the original proof of 
Friedman US] for the case of uniform colorings, we use the adjacency matrix 
A of the hypercube. A is a 2" x 2" dimensional 0-1 matrix, where the entry 
Ax,y = 1 iff a; and y (both in {0, 1}") differ in exactly one coordinate. Recall 
that a non-zero vector v is an eigenvector of the matrix A corresponding to an 
eigenvalue A, if Av = Av. Since A is symmetric, there is an orthonormal basis 
of in which all 2” vectors are eigenvectors of A. For two strings in x, z in 
{0, 1}", let X • z denote their inner product modulo 2 and let weight{z) be the 
number of positions of z which are equal to 1. Then: 

Fact 1 A has an orthonormal basis of eigenvectors {vj, : z £ {0, 1}"}, where 
the eigenvalue ofwz is Xz = n — 2 ■ weight{z), and the value ofvz at position y 

We will use the notation (u, v) = u^v = ^ - mvi to denote the inner product 
of u and v, and let ||u|p = (u,u) = denote the square of the Euclidean 

norm of u. We then get the following useful fact, which follows as an easy exercise 
from Fact □ (it is also a consequence of the Courant-Fischer inequality). 

Fact 2 Assume {v^ : z £ {0, 1}”} are the eigenvectors of A as above, and let 
u be a vector orthogonal to all the ’s corresponding to z with weight{z) < 
t: (u, V 2 ) = 0. Then we have: u^Au < {n — 2t) ■ ||u||^. In particular, for any 

u we have: u^Au < n • ||u|p. 

Exploiting Balancedness. Consider a non-empty ^-balanced weighted col- 
oring X of the hypercube using c colors. Let \i be the characteristic weight vector 
corresponding to color i (i.e. Xi(y) is the weight of y when y has color i and 0 
otherwise). As we will show, the xi’s have some nice properties which capture 
the balancedness of the coloring x- In particular, we know that for any colors i 
and j and for any ^-dimensional subcube of H, the sum of the components of 
Xi and of Xj are the same in this subcube. Hence, if we consider the difference 
(Xz — Xj)j "''^6 gst that the sum of its coordinates over any ^dimensional subcube 
is 0. 

To exploit the latter property analytically, we consider the quantity (xi — 
Xj)^A(xi— Xj)? where A is the adjacency matrix of the n-dimensional hypercube. 
As suggested by Fact □ we can bound this quantity by calculating the Fourier 
coefficients of (xi — Xj) corresponding to large eigenvalues. We get: 



Lemma 4. Foranyi^j, we have: {xi~Xj)^ MXi~Xj) < (2^-«'-2)-||Xi-Xj IP- 
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We postpone the proof of this crucial lemma until the the end of this section, 
and now just use it to prove our theorem. First, note that the lemma above only 
gives us information on two colors. To simultaneously use the information from 
all pairs, we consider the sum over all pairs i,j, that is 

We will give upper and lower bounds for this quantity (Equation 0 and 
Equation @ , respectively) , and use these bounds to prove our theorem. We first 
give the upper bound, based on Lemma 0 

Claim. 

A<2{2i-n-2){c-l)-Y,\\x£ ( 3 ) 

i 

Proof. We can ignore the terms of A when i = j since then (xi ~ Xj) is the 0 
vector. Using Lemma 0 we get an upper bound: 

“ XjVMXi - Xj) <{2£-n-2) ||x* - Xjf 

Now the vectors \i have disjoint supports (since each y € His assigned only one 
color), so we have ||Xi ~ XjlP = llxdP + llXtlP- Substituting into the equation 
above, we see that each ||xi||^ appears 2(c— 1) times (recall that c is the number 
of colors), which immediately gives the desired bound in Equation Q. □ 

Second, we can expand the definition of A to directly obtain a lower bound. 

Claim. 

A>-2n-YUr ( 4 ) 

i 

Proof. Since A is symmetric we have xJ ^Xj = xJ ^Xi- Then: 

“ xjVMxi - Xj) = Y ~ 

= ‘2c-YxJ^Xi - 2 • ^ x7 ^Xj 

Let us try to bound this last expression. On the one hand, we know that xJ -^Xi ^ 
0 since it is a product of matrices and vectors with non-negative entries. On the 
other hand, we can rewrite the last term as a product: 

^ xJ £^Xj = A Xz^ 
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This quantity, however, we can bound using the fact that the maximum eigen- 
value of A is n (see Fact|2). We get: 





< n ■ 






2 



Since the vectors \i have disjoint support (again, each node y is assigned a 
unique color), they are orthogonal and so = Si llx*lP- Combining 

these results, we get the desired lower bound: 



X!(Xi - XjVMXt - Xj) > 0 - 2n • ^ \\x^f = -2n ■ ^ ||xif □ 



Combining the lower and the upper bounds of Equation (0 and Equation 
we notice that Si lIXilP > 0 and can be cancelled out (since the coloring y is 
non-empty) . This gives us 2{2£ — n — 2){c—l) > —2n, which exactly implies the 
needed bound on £. 

Proof of Lemma m It remains to prove Lemma 0 i.e. {xi — Xi)^^(Xi ~Xj) ^ 
{2£ -n-2) ■ \\x^ - Xj\?- By Fact □ it is sufficient show that all the Fourier 
coefficients of (xi~Xi) which correspond to eigenvalues > 2£—n = n—2{n—t) 
are 0. In other words, that (xi~Xj) is orthogonal to all the eigenvectors whose 
eigenvalues are at least (n — 2(n — £)), i.e. weight{z) < n — But recall that 
by the definition of balancedness, on any subcube of dimension at least i, the 
components of {xi ~ Xj) sum to 0! On the other hand, the eigenvectors are 
constants on very large-dimensional subcubes of TL when is large (see Fact ^ . 
These two facts turn out to be exactly what we need to in order to show that 
(vz, Xi ~ Xi) = 0 whenever Xz > 2£ — n, and thus to prove Lemma 01 

Claim. For any z G {0, 1}” with weight{z) < n — i (i.e. Xz > 2i — n), we have: 
(vz,X* -Xj) = 0. 

Proof. Pick any vector z = (zi, . . . , z„) G {0, 1}" with weight{z) < n — i, and 
let S be the support of z, i.e. S = {j : Zj = 1}. Note that [S'] < n — £. Also, recall 
that ~Vz{y) = ■ (—1)^'^ (see Fact Q. Now consider any assignment a to the 

variables of S. By letting the remaining variables take on all possible values, we 
get some subcube of the hypercube, call it Ha. 

One the one hand, note that is constant (either \j\f^ or on 

that subcube, since if y and y' differ only on positions not in S, we will have 
z-y = z-y' . Call this value Ca. On the other hand, since the coloring is ^-balanced 
and since l^l < n — I, the subcube Ha has dimension at least £ and so we know 
that both colors i and j have equal weight on Ha. Thus summing the values of 
(Xi — Xj) this subcube gives 0. 

Using the above two observations, we show that {xi ~ Xji = 0 by rewrit- 
ing the inner product as a sum over all assignments to the variables in S\ 
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(xi - Xj,^z) = XI Vz(t/)[xi(2/) - Xjiv)] = X \ ^^(y)lxi(y) - Xjiy)] 

yen aG{o,i}i®l yyeHa 

a yv&'Ha y&'Ha / a 

Equality Conditions. We now determine the conditions on the colorings so 
that we can achieve equality in Theorem Q (and also Theorem Q). Interestingly, 
such colorings are very structured, as we can see by tracing through our proof. 
Namely, consider the lower bound proved in Equation 0), i.e. that EijiXi - 
Xj)^A(xi — Xj) ^ llXilP- Going over the proof, we see that equality can 

occur only if two conditions occur. 

On the one hand, we must have xJ ^Xi = 0 for all colors i. An easy calculation 
shows that xJ -^Xi is 0 only when there is no edge of non-zero weight connecting 
two nodes of color i. Thus, this condition implies that the coloring is in fact a 
c-coloring in the traditional sense of complexity theory: no two adjacent nodes 
will have the same color. On the other hand, the inequality (^- Xi)^^(Si Xi) ^ 
■ II Si Xi IP must be tight. This can only hold if the vector % = ^ ■ Xi is parallel 
to ( 1 , 1 ,... , 1 ) since that is the only eigenvector with the largest eigenvalue n. 
But this means that all the weights xiu) are the same, i.e. that the coloring must 
be uniform. 

We also remark that Chor et al. H 2 I showed (using the Hadamard code) that 
our bound is tight for k < logn. 



3.3 Extension to Larger Alphabets 

Although the problem of constructing AO NT’s is usually stated in terms of bits, it 
is natural in many applications (e.g., secret-sharing) to consider larger alphabets, 
namely to consider T : {0, ... ,9 — 1 } — >■ {0, . . . ,q— 1}". All the notions from 
the “binary” case naturally extend to general alphabets as well, and so does our 
lower bound. However, the lower bound we obtain is mostly interesting when the 
alphabet size q is relatively small compared to n. In particular, the threshold 
n/2, which is so crucial in the binary case (when we are trying to encode more 
than logn bits), becomes n/q (recall, q is the size of the alphabet). Significantly, 
this threshold becomes meaningless when q > n. This isn’t surprising, since in 
this case we can use Shamir’s secret sharing ESI (p rovided g is a prime power) 
and achieve £ = k. We also remark that our bound is tight if < n and can be 
achieved similarly to the binary case by using the 9 -ary analog of the Hadamard 
code. 

Theorem 3. For any integer q > 2, let T : {0, . . . , 9 — 1}^ — >■ {0, . . . , 9 — 1}” 
be a perfect £-AONT. Then 

£>- 
9 

In particular, £> n/q when q^ > n. 
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Similarly to the binary case, there is also a natural connection between £-AONT’s 
and weighted £-balanced colorings of the “multi-grid” {0, . . . ,q— 1}" with c= 
colors. And again, the bound of Theorem 0 extends here as well and becomes 
£ > n + ("i - 9zii . . 

— q q c-\ j 

The proof techniques are essentially identical to those for the binary case. We 
now work with the graph {0, . . . , q— 1}", which has an edge going between every 
pair of words that differ in a single position. We think of vertices in this graph 
as vectors in If a; is a primitive q-th root of unity in C, then a orthonormal 
basis of eigenvectors of the adjacency matrix is given by the (/"-dimensional 
complex vectors for z G {0, . . . ,q — 1}", where (here, z • y 

is the standard dot product modulo q). Constructing upper and lower bounds 
as above, we eventually get {ql - n - q){c - 1) ||xi|p > -n{q - 1) Yi llx*lP 
which implies the desired inequality. Equality conditions are the same. 

4 Adaptive Security in the Statistical Setting 

We now address the question of adaptive security in the statistical setting. In- 
deed, we saw that both perfect ERF’s and perfect AONT’s have strong limita- 
tions. We also observed in Lemma El that we only need to concentrate on ERF’s 
— we can use them to construct AONT’s. Finally, we know that applying a reg- 
ular pseudorandom generator to a good adaptively secure statistical ERF will 
result in a good adaptively secure computational ERF. This leaves with the need 
to construct adaptive statistical ERF’s (recall that unfortunately, the construc- 
tion of m for the static case is not adaptively secure). Hence, in this section 
we discuss only the statistical setting, and mainly resilient functions (except for 
Section ES see below). 

More specifically, in Section lO we discuss several flavors of statistical re- 
silient functions, and the relation among them, which should be of independent 
interest. In particular, we argue that the notion of almost-perfect resilient func- 
tions (APRF) m is the strongest one (in particular, stronger than adaptive 
ERF). In Section h.2l we show how to construct APRF’s. While seemingly only 
slightly weaker than perfect RF’s, we show that we can achieve much smaller, 
optimal resilience for such functions: i k, k (compare with ^ > n/2 for perfect 
RF’s). In particular, this will imply the existence of nearly optimal statistical 
RF’s and adaptive statistical ERF’s with the same parameters. Finally, in Sec- 
tion 14.31 we will show that APRF’s can also be used to show the existence of 
optimal secret-only adaptive statistical AONT’s (which improves the one-time 
pad construction from Lemma El and was not known even in the non-adaptive 
setting of pTO]!. 

4.1 Adaptive ERF and Other Flavors of Resilient Functions 

The definition presented in section El for adaptive security of an ERF is only one 
of several possible notions of adaptive security. Although it seems right for most 
applications involving resilience to exposure, one can imagine stronger attacks 
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in which the security of resilient functions (RF), which tolerate even partly fixed 
inputs, would be desired. In this section we relate these various definitions, and 
reduce them to the stronger notion of an almost-resilient function which 
are of independent combinatorial interest. 

There are several parameters which one naturally wants to vary when con- 
sidering “adaptive” security of an ERF, which is in its essence an extractor for 
producing good random bits from a partially compromised input. 

1. Does the adversary get to see the challenge (output vs. a random string) 
before deciding how to “compromise” the input? 

2. Does the adversary get to decide on input positions to “compromise” one at 
a time or all at once? 

3. Does the adversary get to fix (rather than learn) some of the positions? 

Flavors of Resilient Functions. To address the above questions, we lay out 
the following definitions. Unless stated otherwise, / denotes an efficient function 
/ : {0, 1}" — )> {0, 1}^, L € {"}, r is chosen uniformly from {0, 1}", R is chosen 
uniformly from {0, 1}^. Finally, the adversary A is computationally unbounded, 
and has to obtain a non-negligible advantage in the corresponding experiment. 

1. (Weakly) Static ERF: (This is the original notion of fTH].'! 

r G {0, 1}" is chosen at random. The adversary A specifies L and learns 
w = [r]i. .4 is then given the challenge Z which is either /(r) or R. A must 
distinguish between these two cases. 

2. Strongly Static ERF: (In this notion, the challenge is given first). 

r S {0, 1}" is chosen at random. The adversary A is then given the challenge 
Z which is either /(r) or R. Based on Z, A specifies L, then learns w = [r]i, 
and has to distinguish between Z = f{r) and Z = R. 

3. Weakly Adaptive ERF: (This is a natural notion of adaptivity for ERF.) 
r G {0, 1}" is chosen at random. The adversary A learns up to (n — i) bits of 
r, one at a time, basing each of his choices on what he has seen so far. A is 
then given the challenge Z which is either /(r) or R, and has to distinguish 
between these two cases. 

4. (Strongly) Adaptive ERF: (This is the notion defined in Section 0 ) 

r G {0, 1}" is chosen at random. The adversary A is then given the challenge 
Z which is either f(r) or R. Based on Z, A learns up to (n — £) bits of r, 
one at a time, and has to distinguish between Z = f(r) and Z = R. 

5. Statistical RF: (This is the extension of resilient functions 1 1 2|3j to the 
statistical model, also defined in Section 0 ) 

A chooses any set L G {^} and any w G {0 , A requests that [r]i is 
set to w. The remaining i bits of r in L are set at random. A is then given 
a challenge Z which is either /(r) or R, and has to distinguish between 
these two cases. (Put another way, A loses if for any L G { " } and any 
w G {0,1}"“^, the distribution induced by f(r) when [r\i = w and the 
other £ bits of r chosen at random, is statistically close to the uniform on 
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6. Almost-Perfect RF (APRF): (This is the notion of m-) 

A chooses any set L G {”} and any w G {0, 1}" ^ . A requests that [r]i is 
set to w. The remaining t bits of r in L are set at random and Z = f(r) 
is evaluated. A wins if there exists y G {0, 1}^ such that Pr(Z = y) in this 
experiment does not lie within 2“^(1 ± e), where e is negli gible0 

Note that for each of the first five notions above, we can define the “error pa- 
rameter” e as the advantage of the adversary in the given experiment (for the 
sixth notion, e is already explicit). 

Let us begin by discussing the notion we started with — adaptive ERF. First, 
it might seem initially like the notion of weakly adaptive ERF is all that we need. 
Unfortunately, we have seen that to construct adaptive AONT’s from ERF’s via 
Lemma El we need strong adaptive ERF’s. Second, the “algorithmic” adaptive 
behavior of the adversary is difficult to deal with, so it seems easier to deal with 
a more combinatorial notion. For example, one might hope that a statistical RF 
is by itself an adaptive ERF (notice, such RF is clearly a static ERF), and then 
concentrate on constructing statistical RF’s. Unfortunately, this hope is false, as 
stated in the following lemma. 

Lemma 5. There are functions which are statistical RF but not statistical adap- 
tive (or even strongly static!) ERF. 

Proof Sketch. Let n be the input size. Let /' be an statistical RF from n' = ^ bits 
to k' = ^ bits such that £' = j. Such functions exist, as we prove in Section ^21 
Define / as follows: on an n-bit input string r, break r into two parts ri and 
C 2 both of length . Apply /' to ri to get a string s of length . Now divide s 
into Q(^iagn-i) blocks of size log which can be interpreted as a random subset 
S from {!,... , f } with elements. Let 0 S' be the parity of the bits in 

[’" 2 ]s- The output of / is the pair (s,0S). Thus fc ~ 

Now let £ = n — ■ Clearly, an adversary who sees the challenge 

first, can (non-adaptively) read the bits [r 2 ]s and check the parity (giving him 
advantage at least 1/2 over the random string). Thus, / is not an adaptively 
secure ERF. On the other hand, an adversary who can fix only (n—£) k, n/Q log(n) 
input bits can still not learn anything about the output of f and thus is unlikely 
to know the value of all the bits in S. Such an adversary will always have 
negligible advantage. Hence / is a statistical RF. □ 

Since the opposite direction (from adaptive ERF’s to statistical RF’s) is obvi- 
ously false as well, we ask if some notion actually can simultaneously achieve both 
adaptive security for ERF, and statistical security for RF. Fortunately, it turns 
that by satisfying the stronger condition of an almost-perfect resilient function 
(APRF) [I2|, one obtains an adaptive ERF. Since APRF’s will play such a crucial 
role in our study, we give a separate, more formal definition. 

® Note that in uni the error parameter was measured slightly differently: they define 
e as the maximum absolute deviation. Our convention makes sense in the crypto- 
graphic setting since then the adversary’s advantage at distinguishing /(r) from 
random in any of the above experiments is comparable e, as opposed to e2^. 
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Definition 7. A polynomial time function f : {0, 1}" — >■ {0, 1}^ is £-APRF 
(almost-perfect resilient function) if for any L G {”}) for any assignment w G 
{0, 1}"“^ to the positions not in L, for a randomly chosen r G {0, 1}" and for 
some negligible e = negl(n), we have: 



P^ifir) = y 



[r\i = w) 



(l±e)2-'= 



( 5 ) 



While it is obvious that any APRF is a statistical RF (by summing over 2^ 
values of y), the fact that it is also an adaptive ERF is less clear (especially 
considering Lemma 0), and is shown below. 



Theorem 4. If f is an APRF, then f is a statistical adaptive ERF. 

Proof. By assumption, / is an £-APRF with error e: for every set L £ {"} and 
every assignment w to the variables not in L, Equation J3) above holds when 
r is chosen at random. Now suppose that we have an adaptive adversary A 
who, given either Z = /(r) or Z = R and (limited) access to r, can distinguish 
between the two cases with advantage e'. We will show that e' < e. 

At first glance, this may appear trivial: It is tempting to attempt to prove 
it by conditioning on the adversary’s view at the end of the experiment, and 
concluding that there must be some subset L and appropriate fixing w which 
always leads to a good chance of distinguishing. However, this argument fails 
since the adversary A may base his choice of L on the particular challenge he 
receives, and on the bits he considers. 

So we use a more sophisticated argument, although based on a similar intu- 
ition. First, we can assume w.l.o.g. that the adversary A is deterministic, because 
there is some setting of his random coins conditioned on which he will distin- 
guish with advantage at least e' , and so we may as well assume that he always 
uses those coins. 

Following the intuition above, we consider the adversary’s view at the end of 
the experiment, just before he outputs his answer. This view consists of two com- 
ponents: the input challenge Z and the (n — £) observed bits w = w\, . . . , Wn-i 
(which equal \r]p for some set L of size at least €}. Significantly, L need not be 
explicitly part of the view: since A is deterministic, L is a function of Z and w. 

Denote by View)^ ^ the view of A on challenge Z. When Z = R/it is easy to 
evaluate the probability that A will get a given view. Since the values r G {0, 1}” 
and i? £ {0, 1}^ are independent, we have 



Pr 



View^^ 



(y,w) 



— {n— l-\-k) 



On the other hand, when Z = /(r), we have to be careful. If L is the subset 
corresponding to ^’s choices on view (y,w), then we do indeed have: 



Pr 



View^^’’^^ = (y,w) 



= Pr 



fir) = yA [r]i = w 



This last equality holds even though the choice of L may depend on y. In- 
deed, A is deterministic and so he will always choose the subset L when [r]p = w, 
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regardless of the other values in r. Thus, we can in some sense remove the adver- 
sary from the discussion entirely. Now this last probability can be approximated 
by conditioning and using Equation 0: 



Pr f{r) =yf\ [r]i = 



= Pr f{r) =y w = [r]i Pi w = [r]i 
= (l±e)2-(”-^+'=) 



We can now explicitly compute the adversary’s probability of success in each 
of the two experiments we are comparing. Let A(y,w) = 1 if .4 accepts on view 
{y, w) and 0 otherwise. Then: 



e' = Pr A^{f{r)) = 1 - Pr A^{R) = 1 











\ 


(Pr 


View^^’'^^ = (y,w) 


-Pr 


View^^ = (y,w) 


) ■ A{y,w) 


\ 








J 



<^|(l±e)2 






< e 



Thus e' < e, and so / is a statistical adaptive ERF. □ 

Classification of Resilient Functions. In fact, we can completely relate 
all the six notions of resilient functions that we introduced: 



Static ERF 



X 



Strongly 


X 




Static ERF 


Adaptive ERF 


Weakly 
Adaptive ERF 






Statistical RF 



X 

X 



Almost-Perfect RF 



This diagram is complete: if there is no path from notion A to notion B, then 
there is a function which satisfies A but not B. We notice that except for the 
two proofs above, only one non-trivial proof is needed in order to complete the 
diagram: the separation between weakly adaptive ERF’s and static ERF’s (other 
implications and separations are easy exercises) . However, this separation follows 
from the static construction of Canetti et al. uni, which, as we mentioned, need 
not yield a weakly adaptive ERF. 

We also remark that while the diagram above is useful from a structural point 
of view, in the next section we show how to build APRF’s — the strongest of the 
above notions — achieving I Ri k, which is nearly optimal even for static ERF’s 
— the weakest of the above notions. Thus, all the above notions are almost 
the “same” in terms of the optimal parameters they achieve (which are also 
substantially better than those possible in the perfect setting). 
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4.2 Obtaining Nearly Optimal Almost-Resilient Functions 

Given the discussion of the previous section, it is natural to try to construct 
good APRF’s. These were first defined and studied by Kurosawa et al. ca- 
using techniques from coding theory, they construct^ GAPRF such that I > 
+ 2 log (i) . Although this beats the lower bound on perfect ERF of |15I4| |. it 
is very far from the trivial lower bound £ > fc, especially when k = o{n). Thus, it 
is natural to ask whether this is a fundamental limitation on APRF’s, or whether 
indeed one can approach this simplistic lower bound. 

As a first step, we can show that if / is picked at random from all the 
functions from {0,1}" to {0,1}^, it is very likely to be a good APRF (we omit 
the proof since we subsume it later). However, this result is of little practical 
value: storing such a function requires A: -2" bits. Instead, we replace the random 
function with a function from a t-wise independent hash family for t roughly 
on the order of n. Functions in some such families (e.g., the set of all degree t—1 
polynomials over the field GF(2")) require as little as tn bits of storage, and are 
easy to evaluate. 

Using tail-bounds for t-wise independent random variables, one can show 
that with very high probability we will obtain a good APRF: 

Theorem 5. Fix any n, I and e. Let T he a family of t-wise independent func- 
tions from n bits to k bits, where t = n/logn and 

fc = £ — 21og — O(logn) 

Then with probability at least (1 — 2“") a random function f sampled from T 
will be an £-APRF (and hence adaptive £-ERF and statistical i- rf; with error e. 



Corollary 1. For any I = o;(logn), there exists an efficient statistical adaptive 
£-ERF / : (0, 1}" ^ (0, 1}'= with k = i- o(£). 

The proof of Theorem 0uses the following lemma, which is used (implicitly) 
in the constructions of deterministic extractors of Recall that a distribution 
X over {0, 1}" has min-entropy m, if for all x, Pr(A = x) < 2“™. 

Lemma 6. Let T be a family of t-wise independent functions (for even t > 8) 
from n to k bits, let X be a distribution over {0, 1}" of min-entropy m, and let 
y G {0, 1}^. Assume for some a > 0 

k < m — ^2 log - -F log t -F 2a j . (6) 



Let f be chosen at random from T and x be chosen according to X . Then 



Pr 



Pr(/(x) = y)-^ 






( 7 ) 



This result looks (but is not) different from the one stated in m since we measure 
€ differently. 
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In other words, for any y £ {0, 1}^, if f is chosen from T then with overwhelming 
probability we have that the probability that f{X) = y is ^(1 ± e). 

Theorem 0 follows trivially from this lemma. Indeed, set a = 3 log n, t = 
n/logn. Notice that for any L £ {^} and any setting w of bits not in L, the 
random variable X = (r | = w) has min-entropy m = i. Then k given in 

Theorem 0 indeed satisfies Equation Now we apply Lemma |B| and take the 
union bound in Equation o over all possible fixings of some (n — i) input bits, 
and over all y £ {0,1}". Overall, there are at most (")2"“^2^ < 2^" terms 
in the union bound, and each is less than 2~“* = 2“^", finishing the proof of 
Theorem O 

For completeness, we give a simple proof of Lemma El We will make use of 
the following “tail inequality” for sums of t-wise independent random variables 
proven by Bellare and Rompel 0. There they estimate Pr[|y — Exp[y]| > A\, 
where E is a sum of t-wise independent variables. We will only be interested in 
A = e ■ Exp[E], where e < 1. In this case, tracing the proof of Lemma 2.3 (and 
Lemma A. 5 that is used to prove it) of |2|, we get the following: 

Theorem 6 ([2j). Let t be an even integer, and assume Yi, . . . ,Ejv t-wise 
independent random variables in the interval [0,1]. Let Y = Ei -|- . . . -I- Ev, 
p, = Exp[E] and e < 1. Then 



Fr{\Y-p\>ep)<Cfi^^j (8) 

where the constant Ct < S and in fact Ct < 1 for t > 8. 

Now we can prove Lemma El 

Proof. Let px denote the probability that X = x, and let q denote the random 
variable (only over the choice of /) which equals to the probability (over the 
choice of x given f) that /(x) = y, i.e. 

Q = ^ Px • I{f{x)=y} 

xG{0,l}" 

where I{f{x)=y} is an indicator variable which is 1 if /(x) = y and 0 other- 
wise. Since for any x the value of /(x) is uniform over {0, 1}^, we get that 
Ex.p j:[I^f(^x)=y}] = 2“^, and thus Expj[q] = 2“^. Notice also that the variables 
I{f{x)=y} are t-wise independent, since / is chosen at random from a family of 
t-wise independent functions. And finally notice that since X has min-entropy 
TO, we have that all px < 2“™. 

Thus, if we let Qx = ‘2.^ ■ Px ■ I{f{^)=v}’ Q = SxGfo.i}" = 2’”?, we 
get that the variables Qx are t-wise independent, all reside in the interval [0, 1], 
and Exp[Q] = 2’"Exp[(7] = 2™“^. Now we can apply the tail inequality given in 
Theorem El and obtain: 



322 



Yevgeniy Dodis, Amit Sahai, and Adam Smith 



Pr 

/ 




> e 



1 ■ 



= PrnQ-2'"-'=| >e-2' 



m— fcl 



< 



t 



— \ #:2 . <ym — k 
< 2 



e- • 2'’ 

— at 



i/2 



1 



>2771 — k — 2 log J —log t 



t/2 



where the last inequality follows from Equation dOJ. 



□ 



4.3 Adaptively Secure AONT 

We already remarked that that the construction of optimal adaptive statistical 
ERF’s implies the construction of adaptive computational ERF’s. Combined with 
Lemma 12 we get optimal constructions of AO NT’s as well. We notice also that 
the public part of these AONT construction is k. In the statistical setting, where 
we achieved optimal i = k+o{k), we could then combine the public and the secret 
part of the AONT to obtain a secret-only adaptive AONT with i = 2k -\- o{k). 
One may wonder if there exist statistical secret-only AO NT’s with £ = k-\- o{k), 
which would be optimal as well. Using our construction of almost-perfect resilient 
functions, we give an affirmative answer to this question. Our construction is not 
efficient, but the existential result is interesting because it was not known even 
in the static setting. 



Lemma 7. Ignoring the issue of efficiency, there exist adaptive statistical secret- 
only £-AONT T : {0, 1}^ — >■ {0, 1}" with £ = k -\- o{k). 

Proof. Recall, Lemma Q] used an inverse of a perfect RF (or ERF, which is the 
same) to construct perfect secret-only AONT. We now show that the same con- 
struction can be made to work in the statistical setting provided we use APRF 
rather than weaker statistical RF. In particular, let / : {0, 1}" — >■ {0, 1}^ be an 
UAPRF. We know that we can achieve £ = k -\- o{k). We define T{x) to be a 
random r G {0, 1}” such that /(r) = x. (This is well-defined since APRF’s are 
surjective.) 

Now take any distingusher A, any x G {0, 1}^ and any possible view of A 
having oracle access to T(x) = r. Since we can assume that A is deterministic, 
this view can be specified by the {n—£) values w that A read from r (in particular, 
the subset L is also determined from w). Now, we use Bayes law to estimate 
Pr(View^^'^^^ = w). Notice, since r = T{x) is a random preimage of x, we 
could assume that r was chosen at random from {0, 1}", and use conditioning 
on /(r) = X. This gives us: 



Pr(View^*-“^^ = w) = Pr(View^^ = w f{r) = x) = Pr([r]|^ = w f{r) = x) 
Pr(/(r) = a; [r]i = w) ■ Pi{[r]i = w) 

Pr(/(^) = x) 

(lie) - 2"'= • 2^-" 



(lie) -2-fc 



= (1 i 2e) • 2" 
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Notice that this bound is independent on A, x and w. Hence, for any xq^xi 
and any adversary A, and are within statistical distance 

4e from each other, implying that T is an adaptive statistical AO NT. □ 
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Abstract. The block ciphers MISTYl and MISTY2 proposed by Mat- 
sui are based on the principle of provable security against differential 
and linear cryptanalysis. This paper presents attacks on reduced-round 
variants of both ciphers, without as well as with the key-dependent lin- 
ear functions FL. The attacks employ collision-searching techniques and 
impossible differentials. KASUMI, a MISTY variant to be used in next 
generation cellular phones, can be attacked with the latter method faster 
than brute force when reduced to six sounds. 



1 Introduction 

The MISTY algorithms proposed by Matsui |B| are designed to be resistant 
against differential Pj and linear 0 cryptanalysis. One design criterion is that 
no single differential or linear characteristic with a usable probability does hold 
for the cipher. An additional feature is the use of key-dependent linear functions 
which were introduced to counter other than differential and linear attacks. 

Previous attacks by Tanaka, Hisamatsu and Kaneko ^3 on MISTYl and 
by Sugita m on MISTY2 employ higher order differentials against 5-round 
variants without the linear FL functions. A cryptographic weakness of the round 
construction of MISTY2 was pointed out by Sakurai and Zheng |3. 

In this paper we present attacks on reduced-round variants of MISTY 1 and 
MISTY2, both without and with the key-dependent linear functions FL. The 
round function involves a huge amount of keying material, so it is one purpose of 
this paper to point out properties of the round function that allow to use divide- 
and-conquer techniques on the subkeys in order to improve basic attacks which 
make use of impossible differentials 13 pj and collision-searching P; the latter 
technique is extended by using multiple permutations. Furthermore reduced- 
round KASUMI, a MISTY variant to be used in next generation cellular phones, 
is attacked with impossible differentials. TableEshows a summary of the attacks. 

This paper is organised as follows. The MISTY algorithms are described in 
Section 12 properties of the key scheduling and the round function that are used 
here are explained in Section 0 the new attacks on MISTYl resp. MISTY2 are 
described in Section 0 resp. 0 A comparison to KASUMI is made in Section 0 
Conclusions are drawn in Section 0 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. .52.5- lss^ 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 
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Table 1. Summary of attacks on MISTY variants. 



Cipher 


FL 


Rounds 


Complexity 


Comments 




functions 




[data] 


[time] 




MISTYl 


- 


5 


11 X 2'^ 


2i" 


[1 2| (previously known) 




- 


5 


2® 


238 


inn ^ (previously known) 




- 


6 


239 


2106 


impossible differential (new) 




- 


6 


254 


261 


impossible differential (new) 




/ 


4 


223 


290.4 


impossible differential (new) 




/ 


4 


238 


262 


impossible differential (new) 




/ 


4 


220 


289 


collision-search (new) 




/ 


4 


228 


276 


collision-search (new) 


MISTY2 


- 


5 


2" 


239 


[1 01 (previously known) 




/ 


5 


223 


290 


impossible differential (new) 




/ 


5 


238 


262 


impossible differential (new) 




/ 


5 


220 


289 


collision-search (new) 




/ 


5 


228 


276 


collision-search (new) 


KASUMI 


/ 


6 


255 


2100 


impossible differential (new) 



2 Description of MISTY 

The MISTY algorithms 0 are symmetric block ciphers with a block size of 
64 bits and a key size of 128 bits. There are two flavors called MISTYl and 
MISTY2, which differ by their global structure (see Figure Pi. MISTYl is a 
Feistel network with additional key-dependent linear functions FL placed in 
the data path before every second round. MISTY2 has a different structure 
that allows parallel execution of round functions during encryption. The FL 
functions are applied in MISTY2 to both halfs of the data before every fourth 
round and also in every second round just before XORing the right to the left 
half of the data. In both ciphers the linear functions are also used as an output 
transformation. 

MISTY has a recursive structure, that is, the round function consists of a 
network with a smaller block size using the function FI that itself is again a 
smaller network; the structure of both the round function FO and the function 
FI is that of MISTY2. Figure El shows FO, FI and FL in a representation that 
is equivalent to the original description 0. This equivalent descriptioifl is the 
result moving the mixing of the leftmost seven bits of each KLj in each FI (as 
given in the specification P) out of FI and to the end of its superstructure 
FO; this is possible because these key bits do not affect any S-box inside the 
instance of FI where they are inserted. Due to the recursive structure a huge 
amount of keying material is involved in each round, i.e. 112 bits for FO in 



^ For another equivalent description of MISTY’s round function see DEI. 
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MISTY2 



MISTYl 





KLe 



KL„ 




KL„ 



Fig. 1. Global structure of MISTYl and MISTY2. 



the original description; the equivalent description has a key size of 107 bits. 
Additional subkey bits are used if the round contains FL functions. The ciphers 
are proposed with 8 (MISTYl) resp. 12 (MISTY2) rounds. 

The key scheduling takes as input a 128 bit key consisting of 16 bit values 
Ki, . . . ,Ks and computes additional 16 bit values I < t < 8 

where Kg = Ki. The subkeys of each round are (z is identified with z — 8 for 

z > 8): 



Subkey 


KOa 


K0,2 


K0,3 


K0,4 


Kbi 


Kb2 


KI,3 


KL, 


Value 


K, 


K ,+2 


K^+7 


Ki+4, 


KU, 


KI+7 




{K'i^^WK^+ 4 ) (even i) 













328 



Ulrich Kiihn 



FO FI 




Fig. 2. The functions FO and FI in a form equivalent to the original specification which 
eliminates the left 7 bits of the key to FI. S7 and S9 are bijective 7x7 resp. 9x9 
S-boxes; in FL the operators n resp. U denote the bitwise AND resp. OR. 



Given KO* = (KO*i, • • • ,KOa), KI, = (KI,i, ■ • ■ .Klis), then AKO^ and 
AKIy of our equivalent description relate to the original subkeys as follows. 
Let II denote the concatenation of bitstrings and [x]i,,j the selection of the 
bits i..j from x where bit 0 is the rightmost bit. Let KiL denote the 16 bits 
[KIy]i5..9||00||[KIy]i5,,9. Then the actual subkeys are 

AKOifc = KOife, with 1 < fc < 2 

AK0,3 = K0,2 © K0,3 © Kl'i (1) 

AK0*4 = K0,2 © K0,4 © Kl'i © KI '2 
AK 0*5 = K0,2 © Kl'i © KI'2 © KI'3 
AKIifc = [Kbfc]8..o, with 1 < /c < 3 

Notation. Throughout this paper all differences are taken as XOR of the ap- 
propriate values. Let Li resp. Ri denote the left resp. right half of the input to 
round i, Xi the input to the round function FO, and Zi its output; so L\ resp. 
i?i denotes the left resp. right half of the plaintext data. If round i uses FL in 
its data path (for example every odd round in MISTYl) let Xi resp. Yi denote 
the left resp. right half of the data after the transformation through FL, and set 
Xi = Li, Yi = Ri otherwise. For MISTY2 let Yi denote the possibly transformed 
value of Yi that is XORed to Zi to form the half of the round’s output that 
becomes Ri+i after the swap. 
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3 Observations on the Key Scheduling 
and the Round Function 

Key Scheduling. The key scheduling is designed such that every round is 
affected by all key bits. This causes major problems in terms of complexity 
when exhaustively guessing the subkey of one round with a distinguisher for the 
other rounds, but it also allows to recover the whole key with reasonable effort 
once a large part of one round subkey is known. 

For example consider the first round’s subkeys AKOn, AKO12, AKO13 and 
AKIii, AKI12, AKI13. By equationn(and the key scheduling table in Section 0) 
the 16 bits of key words K\ and are known. AKI12 resp. AKI13 provides 
a 9 bit condition for K 2 resp. and K^. After guessing the 7 bits of KI[i 
in AKO13 there is - knowing AKIn - a 16 bit condition for Kq and K^-, also 
the word Ks is known from AKO13. Using a factor of 2 for the 8 computations 
of FI in the key schedule the total complexity of exhaustive search is about 
2 • 2^28-32 . 2“9 . 2“9 . 2“32 _ 247 encryptions using two or three known plaintexts 
and corresponding ciphertexts. 



Round Function in Differential and Collision- Searching Attacks. The 

subkeys AKOi4 and AKO^s are invisible in our attacks as they introduce fixed 
constants after all non-linearities when FO is applied in forward direction. The 
following properties of FO allow divide-and-conquer techniques for the other 75 
subkey bits at the cost of increased chosen plaintext or ciphertext requirements. 

Property 1. In forward direction, consider FO in round i having an output 
XOR of the form (/3, f3) where /3 is a nonzero 16 bit value. Then the input and 
output XOR of the third instance of FI must be zero, so (AKOi3, AKU3) does 
not influence the output XOR. The input XOR to FO must be («;, a^) such 
that ar cancels the output XOR of the first FI under key (AKOa, AKRi) 
when the input XOR is ai from the given input values. The value of (3 is 
solely influenced by (AKOi2, AKU2). 

Property 2. In forward direction, consider inputs to FO in round i of the 
form (fli^b) where the ai are all different (thus forming a permutation in 
the notation of PJ) 3.nd 6 is a constant. Then the output of the second FI 
is a constant that depends on AK0^2 and AKIi2; the input of the third 
FI is a permutation, namely the XOR of the output of the first FI and 
b © AKOi2 © AKOi3. As long as AKOi2 © AKOi3 has the same value as for 
the unknown key, and AKOii, AKbi and AKU3 are also correct, the output 
of FO is the same as for the correct subkey, up to XORing with a constant. 
So one can set AK0^2 = 0, AKb2 = 0 in a first step, making sure that 
AKOi2 © AKOi3 has the correct value. 



Directional Asymmetry. Due to the Feistel network, FO is used in MISTYl 
in forward direction both for encrypting and decrypting data. But for MISTY2 
this is not the case. In forward direction the output of the second FI does not 
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affect the input of the third FI; this fact is inherently used in both properties 
explained above. In backward direction, the output of the first and second FI 
each affect the input of every subsequent FI, which makes analysis harder in 
this direction. This is the reason that for MISTY2 the attacks presented in this 
paper use the chosen ciphertext model of attack, as then FO in the first round 
can be used in forward direction. 



4 Attacks on Reduced- Round MISTYl 

In this section we present attacks on MISTYl; it is assumed that the final swap 
of MISTY is also present in the reduced variant. One attack finds the last round 
subkey of 6 rounds of MISTYl without FL functions, other attacks find the last 
round subkey of MISTYl reduced to 4 rounds with FL functions but without 
the final output transformation; these attacks break exactly half of the cipher. 



4.1 Attacking MISTYl without FL Functions 

This attack is based on the generic 5-round impossible differential for Feistel 
networks with bijective round functions 

5i? 

(0, 0, ai,ar) A (0. 0. ^r), (ai,ar) ^ (0, 0), 

discovered by Knudsen |^. The attack looks for differences {(Ji, Pr,cti,ar) after 
6 rounds (including the final swap) and rules out all subkeys that can yield 
(ai,ar) — t (/3i,/3r) from the given outputs, as that is impossible. 

The basic attack uses a structure of 2^^ chosen plaintexts Pi = {x,y,ai,bi) 
with some fixed values x, y and (ai,bi) running through all 2^^ values. Af- 
ter obtaining the corresponding ciphertexts {ci,di,ei, ft) by encryption under 
the unknown key set up a list of values wt = (ai,bi) © (ei,/i). For a pair 
i,j such that Wi = Wj the input difference is (0, 0,a;,ai.) with (ai,ar) = 
{at © Gj,bi © bj)] the output difference after six rounds and the final swap is 
{l3i, Pr,cti,ar) with {/3i,Pr) = {ci © Cj,di © dj). Now check for all 75 bit sub- 
keys fc = (AK06i,AKl6i, ... ,AK063,AKl63) if FOfe((ei,/,))©FOfe((e„/,)) = 

Such a subkey is wrong while a correct guess never yields this difference. 

About (^2 ) ■ 2“^^ ~ 2^^ pairs Wi = Wj are expected in a structure. A wrong 
key has a probability of about 2“^^ to cause a given output XOR, so a fraction 
of (1 — 2“^^)^ = e“^f^ of the wrong subkeys are discarded. After repeating 

this basic step 75/ log 2 (e^/^) ~ 104 times only the correct subkey is expected to 
survive. 

This attack takes about 104-2^^ rs 2^® chosen plaintexts. The time complexity 
is 2 • 2^^ computations of FO per guessed key and per structure, so the total 
complexity is about -2^®+^^ Ri 2 ^ 0 ® "^ evaluations of FO which is 

equivalent to about 2^*^® encryptions of 6-round MISTYl without FL functions; 
this is hardly a practical attack. 
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It is possible to reduce the amount of work at the cost of increased chosen 
plaintext requirements using Property 1 of FO (see Section 0) . Using the above 
structure of plaintexts and their ciphertexts set up a list of {wi,Ui) with Wi = 
{at © Ci, bi © fi) and Mi = Ci © di. Now only matches with Wi = Wj and Ui = Uj 
are of interest which yield {ci, di, et, fi) © {cj,dj,ej, fj) = (/3, /3, oj, a^)- About 
C 2 ) ' 2“^^ -2“^® Ri 2^® matches are expected with this form; these pairs are 
analysed. We determine subkeys that yield (ai,ar) — >■ (/3, /?) via FO as follows 
(such a subkey cannot be the correct one). For each (AKOei, AKIgi) we check if 
the first FI gives output XOR from Ci, Cj. Then each guess of (AKOe 2 , AKI 62 ) 
is checked if it yields output XOR /3 by the second instance of FI. Each part 
results in about 2® candidates due to a 16 bit restriction. 

Each structure is expected to discard about 2®+® • 2^® = 2®® 50 bit key 
candidates. Due to collisions a fraction of 1/e of the wrong keys is expected to 
remain after 2^^ structures, but using in total 2^^ In 2®® Ri 2^^ • 2® structures, 
only the correct subkey remains. Thus about 2®^ • 2^^ = 2®"* chosen plaintexts 
with about 2^® • 2^^ = 2®^ analysed pairs are needed. The time complexity of 
this part is 2 • 2 • 2^® evaluations of FI per analysed pair equivalent to about 2^® 
evaluations of FO. In total this is 2^® • 2®^ = 2®® evaluations of FO equivalent to 
about 2®® encryptions of 6-round MISTYl without FL functions. 

It remains to determine the 25 key bits (AKOes, AKIea) using the basic attack 
with 25/ log 2 (e®/^) Ri 35 structures requiring 2®®-^ chosen plaintexts which can 
be reused from previous structures. The time complexity of this second part is 
about -2^®+®^ Ri 2®®-"^ evaluations of FO equivalent to about 2®® 

encryptions, which is much less than for the first part. 

In total this attack needs about 2®“® chosen plaintexts and time comparable 
to 2®® encryptions; about 2®®^ pairs are analysed. 



4.2 Attacking MISTYl with FL Functions 

Here we show two attacks on l-round MISTYl where FL functions are present 
with the exception of the final output transformation. One attack uses an im- 
possible differential, the other uses the collision-searching technique of Biham’s 
attack on Ladder-DES P; in order to use Property 2 we extend this technique 
by employing multiple permutations. 



Differential-Style Attack. The impossible differential used to attack MISTYl 
without the FL functions does not work here. The problem occurs because FL 
changes nonzero differences. 

Lemma 1. The generic 5-round impossible differential for Feistel networks does 
not work for MISTYl with the keyed linear functions FL. 

Proof. Assume that the differential starts at an odd-numbered round, i.e. a round 
where the FL functions are applied in, w.l.o.g. at round 1. The difference in the 
Ri is changed by FL for i G {1, 3, 5}. For the impossible differential to work the 
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differences in I 3 and L 4 have to be the same, and thus the output XOR of the 
round function must be zero (which is impossible) . But as the application of FL 
in general changes the differences, this cannot be assured. In the second case 
the differential starts at an even numbered round, i.e. a round where FL is not 
applied in; here the reasoning goes along the same lines. □ 

The following 3-round impossible differential does work since FL cannot 
change zero differences. An input difference (0,0,a/,ar) to round 1 with some 
nonzero values ai, ar cannot yield an output difference of (0, 0, <5;, (5^) before 
the swap in round 3 for a nonzero values Si, Sr- After round 1 the difference is 
{(3i, (3r,0,0) for some nonzero (3i, Pr as FL is bijective. Going backwards from 
round 3, the output difference of round 2 (before the swap) must have been 
(7i,7r,0,0) with nonzero 7;, 7^. which is only possible if (7;,7r-) = iPhPr) and 
if FO causes a zero output difference which is impossible. Basically the same 
argument works when the differential starts at round 2 , where the nonzero part 
of the difference is changed in round 3. 

The attack works along similar lines as in Section EU but uses structures 
of 2 ^® plaintexts Pi = (x,y, ai,bi) where x, y are constant and the {ai,bi) all 
different. Let {ci,di,ei, ft) denote the ciphertexts. For each structure all about 
2 ®^ pairs can be used which rule out a fraction of about e“^/^ of the wrong keys. 
This attack requires about 75/ log 2 (e^/^) ~ 104 structures (2^® chosen plain- 
texts) and about ’ 2’^®+^® Ri 2®^ "^ evaluations of FO comparable 

to 2 ®®-^ encryptions. 

We can improve this result by using Property 1. From the ciphertexts a list 
Ui = Ci(Bdi is set up. So we can easily find those pairs which yield an output XOR 
{P, P,ai,ar); their number is expected to be 2^® per structure. The analysis of 
the first part from the improved analysis in Section 01 can be used for finding 
AK 04 i,AK 042 , AKI 41 , and AKI 42 requiring about 2^"^ • 2® = 2^^ structures 
(2®® chosen plaintexts) and 2^® • 2®® • 2^® = 2®'^ computations of FO comparable 
to 2®^ encryptions. The second part for recovering AKO 43 and AKI 43 needs 
another ‘ 2^®+®® Ri 2'*^ '^ computations of FO where the needed 

plaintexts/ciphertexts are reused. In total this attack needs 2®® chosen plaintexts 
and work of about 2 ®^ encryptions. 

Attack Using Collisions. Biham’s attack on Ladder-DES P| is also appli- 
cable to 4 round MISTYl with FL functions, as these are bijective and thus 
cannot produce collisions. Consider a collection of chosen plaintexts of the form 
{x, y, tti, bi) with i G I for some index set I where x, y are constants and (oi, bp 
different random values. Using the notation from P this property of the collec- 
tion of {(oi, bi)}i(^i is called a permutation, that is, there can be no collision. 

By the FL functions Xi is a constant {x',y'), and Yi is a permutation, say 
{(a', 6 ')}ig/. Zi is another fixed constant {x",y") derived from (x' ,y') by FO, 
so L 2 = X 2 is the permutation {(o' © x" , b'i © y")}ig/ while R 2 = F 2 is constant. 
Then Z 2 is yet another permutation, and so is L 3 . A 3 is still a permutation after 
the FL in round 3, as is Z^, but Z^ © I 3 behaves like a pseudo-random function. 
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The attack proceeds as follows. Prepare plaintexts Pi = (x,y,ai,bi) and 
get their encryptions Q = (cj, di,Ci, fi) under the unknown key. For all guesses 
k — (AKO41, AKI41, . . . , AKO43, AKI43) of the last round’s FO 75 bit key de- 
crypt the ciphertexts one round 



Wi = FOfc((ei,/i)) © {ci,dt). 



If Wi = Wj for some i,j then the key guess is wrong. The one-round decryption 
with a wrong key behaves like a pseudo-random function, so on average about 2^® 
decryptions are needed to eliminate a wrong guess; a correct guess never produces 
a collision. The attack needs 2^° chosen plaintexts and at most 2'^^ ■ 2^^ = 2®^ 
evaluations of FO. But on average a wrong guess should be ruled out after about 
2^® tries, so the workload is expected to be about 2^® • 2^^ = 2®^ evaluations of 
FO equivalent to 2®® encryptions. 

The probability of each wrong key guess to survive is the probability that 
all 2®® decrypted values are distinct. By the birthday paradox this probability is 
exp(— 2®®(2®® — l)/(2 • 2®^)) Ri exp(— 2"^) Ri so for all keys the probability 

for a false guess to survive is 2“^®®. 

This attack can be improved using Property 2 at the cost of more chosen 
plaintexts. This version uses 2®® chosen plaintexts Pi = (x,y,ai,bi) with con- 
stants X, y and all different (ui^bi). The ciphertexts Ci = {ci,di,ei, fi) are par- 
titioned into sets Bt, t G {0, . . . , 2^® — 1}, such that Ci G Bt ^ fi = t. First, 
set AKO42 = 0, AKI42 = 0. For each guess k = (AKO41, AKI41, ^23, AKI43) of 
50 bits with fc23 in the role of AKO43 and each Bt,0<t<2^® — 1 decrypt all 
Ci G Bt one round yielding w\ = FO^^ ((cj, fi)) © (ci,di). If at one point = w* 
then this key is discarded, and the procedure is started with the next guess. This 
takes at most 2®® • 2®® = 2^® evaluations of FO comparable to 2^® encryptions 
to complete. 

Once a correct k with ^23 = AKO42 © AKO43 has been found the correct 
25 bits AKO42, AKI42 with AKO43 = ^23 © AKO42 have to be found. This time 
ciphertexts are used such that fi varies. Here about 2®® ciphertexts from the 
collection of the 2®® should be sufficient to find the correct key. This requires 
work of at most 2®® • 2®® = 2^® evaluations of FO equivalent to 2"^® encryptions. 
The time and chosen plaintext requirements are dominated by the first part (2^® 
work and 2®® chosen plaintexts). 

The first part uses several permutations, with the complication that the sum 
of the number of elements over all permutations is a constant. The probability 
of success can be estimated using methods from convexity theory |^; we show 
that the case that all permutations are of equal size is the worst case. Let nit = 
\Bt\ and N = 2®®. For each Bt a wrong key survives the test with probability 
Pt = exp(— with 0 < \mt\ < 2®® and product 

of all Pt is the probability of failure to eliminate the wrong key. 



Lemma 2. The function p(mo, . . . , m 2 ie_i) = Ht* ^ 

Si=o nii = M > Q has its maximum for mo = • • • = 



= M/2®®. 



m2ie_i 
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Proof. Consider the function /(to) = exp(— it is clear that ln(/(TO)) 
is a concave function for 0 < to < M. It follows from 0 Prop. E.l] that 
p(toq, . . . , TO 216 _i) is Schur-concave and thus has its maximum when all rrii are 
equal, as claimed. □ 

By Lemma El the maximum probability of each wrong key guess to survive is 

(exp(-. Ly “ ~ H .))' «= (exp(-2-»))*“ = exp(-2') 2-‘“. 

It follows that also the probability is negligible that a single wrong key guess 
survives the first part. The probability that a wrong guess survives in the second 
part is, by the birthday paradox, about so for all 25 key bits this is about 

2“^^® which is also negligible. 

5 Attacks on Reduced- Round MISTY2 

While the attacks given in this section work for 5-round MISTY2 both with 
and without FL functions, the attacks on MISTY2 without FL functions have 
a much higher complexity than the one given in m; therefore we present here 
only the attacks on MISTY2 with FL functions; again we assume that the final 
swap but no output transformation is present. 

Because of the asymmetry of the round function described in Section 0 it 
seems to help to attack MISTY2 in the chosen ciphertext model, as then the 
round function is used in the forward direction when testing a guessed value of 
a subkey. 



Differential-Style Attack. This attack on 5-round MISTY2 makes use of the 
following impossible differential: 

Proposition 1. Given MISTY2 without FL, any input XOR (o:/,ar,0,0) with 
nonzero {ai, ttr) to round i eannot yield a difference ((5i, i52, <5i, ^ 2 ) for any (5i, <52) 
in round i + H. Conversely, a difference {Si, 62, Si, 62), (<5i,^2) (0)0)j in- round 

i + 3 cannot decrypt to a difference {ai,ar,0, 0) before round i. 

For MISTY2 with FL functions this differential is also impossible provided 
that li +3 = Yi+ 3 , i.e. round z -|- 3 does not apply FL to the right half before it is 
XORed to the left half. 

Proof. This differential uses the miss-in-the-middle approach (see [2|) where two 
differentials with probability 1 are concatenated such that a contradiction arises. 
The 2-round differential used here has input difference (o;, a^., 0, 0) and output 
difference (/?i, /? 2 , Pi, P2) which happens with probability 1. The input difference 
of (a;,ap.,0,0) causes a nonzero input difference for the first FO, which then 
becomes output difference {Pi,P 2 ) (OjO) as FO is bijective. The XOR with 
the right hand side zero difference does not change this. So at the beginning of 
round 2 the difference is {Q,Q, Pi, P 2 ) which FO cannot change. After round 2 
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the difference is (/3i, /32, /3i, /32)- The same reasoning works for the backwards 
direction, where an output difference (Ji, <52, <5i, < 52 ) yf (0, 0, 0, 0) decrypts always 
to (71,72,0,0). Connecting two instances of this differential yields the contra- 
diction. 

When FL functions are present, the assumption on round i -I- 3 ensures that 
the output difference of FO in this round is zero. Application of FL in the first 
two rounds cannot yield a zero difference in the right half input to round f -I- 2, 
so the contradiction between rounds i + 1 and i + 2 still occurs. □ 

In Oder to use this impossible differential the condition of a missing FL func- 
tion in the last round must be met. From the specification of MISTY2 it is clear 
that if a group of 4 rounds does not employ FL functions in the fourth round the 
round proceeding this group also does not use FL, so no additional key material 
has to be guessed besides the subkey for FO. This holds for example for rounds 2 
to 6. 

The attack works as follows. Set up a structure of 2^® ciphertexts Ci = 
(ci, fi, Ci(Bx, fi(By) where x, y are constants and (e^, fi) are different values. Get 
the plaintexts Pi = {ai,bi,Ci,di) by decryption under the unknown key. Every 
pair of ciphertexts fulfills the ciphertext condition of the impossible differential. 
For each pair Pi, Pj any key k to the first round that encrypts Pi and Pj to 
a difference (ai,O! 2 , 0 , 0) must be a wrong guess, while a correct guess never 
yields such a contradiction. There are about 2^^ such pairs, so that a fraction of 
(1— 2“^^)^ = e“^/^ of the wrong keys survives. Thus about 75/ log 2 (e^/^) ~ 104 

structures (about 2^^ chosen ciphertexts) are required to eliminate all wrong 
keys. The work complexity is ’ 2^^+^® r; 2®^ '* computations of 

FO roughly comparable to 2®° decryptions. 

An improvement of the work factor can be reached using Property 1 in a 
similar way as for MISTYl in sections O and E3 For the attack we use the 
same structures as above. From their decryptions Pi = (ai,bi,Ci,di) we make a 
list Wi = Ci(Bdi- All matches Wi = wj, i ^ j yield a plaintext difference Pi 0 Pj = 
(ai,ar, j3, (3) for some value of /3; these are the analysed pairs. With the input 
resp. output XOR {ai,ar) resp. {(3,(3) for FO in the first round we determine 
subkeys (AKOn, AKIn), (AKO12, AKI12) that yield this output difference from 
(ai,bi) and (aj,bj) as follows. For each (AKOn, AKIn) we check if the first 
FI gives output XOR ar from ai, aj. Then each guess for (AKO12, AKI12) is 
checked if it yields output XOR (3 by the second FL Each part is expected to 
result in about 2® candidates due to the 16 bit restriction. Each of the expected 
2^® combinations is a wrong guess by the impossible differential. 

In each structure there are about 2®^ pairs, each of which has a chance of 
2“^® to have a plaintext difference {P,(3) in the right half. So about 2^® pairs 
are analysed, each of which excludes about 2^® not necessarily distinct subkey 
guesses. After about 2^^ • ln(2®°) Ri 2^^ • 2® structures (2®® chosen ciphertexts, 
2®^ analysed pairs) there is only a single remaining key expected. The time 
complexity per pair is 2 • 2^® evaluations each for the first and the second FI, 
which is about 2^® evaluations of FO. In total this is about 2^® • 2®® = 2®^ 
evaluations of FO equivalent to about 2®^ encryptions. 
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Determining the last 25 subkey bits AKO13 and AKI13 can be done with 
the basic attack and 25/ log2(e^/^) ~ 35 structures with about 2^^-^ chosen 
ciphertexts reused from previous structures. The work requirements are about 
■ 2^®+^® Ri evaluations of FO which is approximately 2"^° 
encryptions, much less than for the first part. 

In total about 2^® chosen ciphertexts and work of about 2®^ encryptions is 
required to find the first round’s 75 bit subkey; about 2®”^ pairs are analysed. 

Attack Using Collisions. This attack on 5-round MISTY2 with FL functions 
but without the output transformation works with collision-searching; it is based 
on the following observation in the chosen ciphertext model. 

Proposition 2. Given four rounds of MISTY2 starting at round n such that 
= T„+3 holds, i.e. IA+3 is not transformed via FL before the XOR. As- 
sume that no output transformation with FL takes place. Given a set of cipher- 
texts Ci = {ci,fi,x(B ei,y(B fi) where x, y are constant and {(ei,/i)} form a 
permutation. After decryption the right half Rn is a permutation. 

Proof. Zn+3 is always the constant (x, y) and thus A„+3 as well as L„+3 is 
a constant, say {x',y'). On the other hand, i?„+3 is the permutation {{ei,fi)}. 
After being XORed with (x', y') this becomes Zn+2, so that also A„_|_2 and L„+2 
are permutations while Rn+2 is a constant. Zn+i is a permutation which is the 
XOR of a constant and a permutation Ui+i which is L„+2 possibly transformed 
by an instance of FL. So A„_|_i is a permutation. Now the claim follows. □ 

The attack using Proposition 0 works for example on the five rounds of 
MISTY2 from round 2 to round 6. Both round 2 and round 6 do not apply any FL 
functions. An attack using 2®® work and 2^° chosen ciphertexts works straight- 
forward as in section 10 with the same analysis, so the detailed description is 
omitted here. 

In order to use the observation on reducing the amount key material to 
be guessed the attack uses 2^® chosen ciphertexts of the form Ci = (e,,/i,x © 
Ci, y(Bfi) where x, y are constants and {(e^, fi)} form a permutation. Encryption 
under the unknown key yields plaintexts Pi = {a,i,bi,Ci,di) which we partition 
into 2^® sets Bt such that Pi € thus all Pi G Bt for a given t have the 
same value bi = t. First, set AKOii = 0, AKI12 = 0. For each 50 bit key guess 
k = (AKOii , AKIii , ^23, AKI13) with ^23 in the role of AKO13, and for each Bt, 
t S {0 , . . . , 2^® — 1} encrypt all Pi S Bt one round yielding w\ = FOfc((ai, bf)) © 
(ci,di). If we find w* = i ^ j then this key must be discarded, and the 
procedure is started with the next key guess. This takes at most 2®® • 2^® = 2^® 
evaluations of FO comparable to 2"^® encryptions to complete. 

Once a correct k with /C23 = AKO12 © AKO13 has been found, we have to 
find the correct 25 bits (AKO12, AKI12) and set AKO13 = ^23 © AKO12. Here 
we use plaintexts Pi where both and bi vary; about 2^® plaintexts from the 
collection of 2^® plaintexts should be sufficient. This requires work of at most 
220 . 225 _ 245 evaluations of FO equivalent to 2^® encryptions. The time and 
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chosen ciphertext requirements are dominated by the first part ( 2 ^® work, 2 ^® 
chosen ciphertexts). 

The probability that a wrong key guess survives is bounded with the same 
arguments as in Section E~Sl bv Lemma|2|and the birthday paradox, so the details 
are omitted here. 

6 Comparison to KASUMI 

The algorithm KASUMI P) is a MISTY variant that is to be used in next- 
generation cellular phones. The global structure is a Feistel network with 8 
rounds including the final permutation. Its round function consists of FO and 
FL, applied before resp. after FO in odd resp. even-numbered rounds. The FO 
function has the same structure as in MISTY with the subkeys KO^, I < j < 3 
being applied by XOR before FI but a lacking final XOR of KOi 4 after all 
non-linearities; the FI function involves an additional fourth round, and the FL 
function uses left rotations by one bit before each XOR. The S-boxes S7 and S9 
are bijective, but different from those of MISTY. Each round uses 128 key bits, 
32 bits for FL and 96 bits for FO. These are derived by revolving through the 
key bytes and applying rotations and bitwise additions of constants. 

The usage of the basic Feistel structure without FL functions in the data path 
makes KASUMI susceptible to an attack based on the same 5-round impossible 
differential as used in Section o but with the additional difficulty that FL is 
part of the round functions and FO uses more keying material. The differential 
can be used as both FO and FL are bijective. It should be noted that a property 
similar to Property 1 does also hold for KASUMFs FO when it is preceeded by 
FL as it happens in odd-numbered rounds: 

Property 3. Assume that the concatenation of FL and FO has a nonzero 
output XOR (5, S). Denote the input XOR to FL by (a/, a^) and its output 
XOR (the input to FO) by {Pi,l3r). The difference f3r is solely determined 
by the first round of FL, so is the right half of the data in the first round of 
FO. In order to have the given output XOR of FO the third round’s output 
and input XOR must both be zero which means that (KOi 3 ,KIi 3 ) can be 
ignored. The output XOR {6, 6) is determined by the second round of FO 
from the inputs with XOR /3j.; additionally, f3r is canceled by the output 
XOR f3r of the FI in the first round of FO, coming from the left halfs of the 
inputs with XOR /3/. 

The attack on rounds 2 to 7 of KASUMI including the last swap works as 
follows. In round 7 the function FL is applied before FO, so we can rely on Prop- 
erty 3. The attack uses the same structures as were used in Section^^and looks 
for pairs with ciphertext XOR (5, 5, a;, a^.) with the same methods. We expect 
about such 2^® pairs per structure which will be analysed. Let (ci, di, e^, fi) and 
{cj, dj, 6j, fj) be such a pair. In order to use Property K we first fix a guess of 
the first round subkey KL 71 of FL in round 7, yielding /', /j with /3r := /' 0 /j. 
Then we determine which guesses of (KL 72 , KO 71 , KI 71 ) yield the XOR Pr after 



338 



Ulrich Kiihn 



the first FI. We expect about = 2^^ guesses to fulfill this condition. 

Then, independently, we check which guess for (K 072 ,Kl 72 ) yields output XOR 
5 after the second FI from inputs /' and /j; here we expect about 2^^/2^® = 2^® 
guesses. Combinations of all these guesses are wrong subkeys and can be dis- 
carded. Their expected number is 2"*® for each guess of KL 71 , so each analysed 
pair is expected to discard about 2®'^ subkeys a 96 bits. 

After about 2^^ structures an expected number of 2®®/e distinct subkeys are 
discarded. In total we need about 2^^ ln(2®®) k. 67 • 2^^ k. 2^® structures with 2®® 
chosen plaintexts and about 2 ®® analysed pairs to single out the right subkey. 

The work requirements for each pair and each guess of KL 71 are 2 • 2^® -|- 
2 • 2®^ Ri 2'*® computations of the second round of FL and FI. In total this is 
about 2^®® computations of FL and FI roughly equivalent to 2®®® encryptions. 
Although this is much faster than brute force it is hardly a practical attack 
because of the high data and work requirements. 

7 Conclusion 

For MISTYl the use of keyed linear functions inhibits the attack using the 5- 
round impossible differential of Feistel networks with bijective round functions; 
for MISTY2 we cannot make this claim as we did not find an impossible differ- 
ential longer than 4 rounds. 

The attacks on MISTY2 suggest that this structure might be one round 
weaker than the Feistel structure, at least when the linear functions FL are 
present. The directional asymmetry of the MISTY2 structure used in FO with 
embedded 3-round FI suggests that this structure might be stronger in the back- 
wards direction compared to the forward direction. 

By adding a fourth round to FI - like done for KASUMI - its equivalent 
description of FO would not reduce the number of key bits, so the attacks would 
only need to guess 7 bits more for each FL If FO had one more round the 
properties used to improve both the differential and collision-searching attacks 
would not hold, leaving only the basic forms of attack; but this would require 
more keying material. 

Instead, the changes for KASUMI, i.e. adding a round to FI and employing 
the linear functions as part of the round function does not require more keying 
material and seems to make an analysis of the round function very demanding. 
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Abstract. Serpent is one of the 5 AES finalists. The best attack pub- 
lished so far analyzes up to 9 rounds. In this paper we present attacks 
on 7-round, 8-round, and 10-round variants of Serpent. We attack a 7- 
round variant with all key lengths, and 8- and 10-round variants with 
256-bit keys. The 10-round attack on the 256-bit keys variants is the 
best published attack on the cipher. The attack enhances the amplified 
boomerang attack and uses better differentials. We also present the best 
3-round, 4-round, 5-round and 6-round differential characteristics of Ser- 
pent. 



1 Introduction 

Serpent P is a block cipher which was suggested as a candidate for the Advanced 
Encryption Standard (AES) |B|, and was selected to be among the five finalists. 

In P a modified variant of Serpent in which the linear transformation was 
modified into a permutation was analyzed. The permutation allows one active S 
box to activate only one S box in the consecutive round, a property that cannot 
occur in Serpent. Thus, it is not surprising that this variant is much weaker than 
Serpent, and that it can be attacked with up to 35 rounds. 

In P the 256-bit variant of Serpent up to 9 rounds is attacked using an 
amplified boomerang attack. The attack is based on building a 7-round distin- 
guisher for Serpent, and using it for attacking up to 9 rounds. The distinguisher 
is built using the amplified boomerang technique. It uses a 4-round differential 
characteristic in rounds 1-4, and a 3-round characteristic in rounds 5-7. 

In this paper we enhance the amplified boomerang attack, and present the 
best 3-round, 4-round, 5-round and 6-round differential characteristics of Serpent 
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published so far. We use these characteristic to devise an attack on 7-round 
Serpent with all key lengths, and an attack on 8-round Serpent with 256-bit 
keys. We also use these results to develop the best known distinguisher for 8- 
round Serpent by presenting a new cryptanalytic tool — the rectangle attack. 
This tool is then used to attack 10-round 256-bit key Serpent. 

The paper is organized as follows: In Section |2| we give the description of 
Serpent. In Section|^we present a differential attack on 7-round Serpent, and a 
differential attack on 8-round 256-bit key Serpent. In Section we present the 
Rectangle Attack, and in Section we describe the 8-round distinguisher and 
implement the attack on 10-round 256-bit key Serpent. Section ini summarizes 
the paper. In the appendices we describe new 3-round, 4-round, 5-round and 
6-round differential characteristics, which are the best known so far. 

2 A Description of Serpent 

Serpent P is a block cipher with block size of 128 bits and 0-256 bit keys. It is 
an SP-network, consisting of alternating layers of key mixing, S boxes and linear 
transformation. Serpent has an equivalent bitsliced description, which makes it 
very efficient. 

The key scheduling algorithm of serpent accepts 256-bit keys. Shorter keys 
are padded by 1 followed by as many O’s needed to have a total length of 256 
bits. The key is then used to derive 33 subkeys of 128 bits. 

We use the notations of P . Each intermediate value of the round i is denoted 
by Bi (which is a 128-bit value). The rounds are numbered from 0 to 31. Each 
Bi is composed of four 32-bit words Xq, ATi, X2, X3. 

Serpent has 32 rounds, and a set of eight 4-bit to 4-bit S boxes. Each round 
function Ri {i € {Q, . . . , 31}) uses a single S box 32 times in parallel. For example, 
i?o uses Sq, 32 copies of which are applied in parallel. Thus, the first copy of Sq 
takes bits 0 from Xq,Xi,X 2 ,X^ and returns the output to the same bits (0). 
This is implemented as a boolean expression of the 4 registers. 

The set of eight S-boxes is used four times. Sq is used in round 0, Si is used 
in round 1, etc. After using S^ in round 7 we use Sq again in round 8, then S\ 
in round 9, and so on. The last round is slightly different from the others: apply 
S^ on B31 © K^i, and XOR the result with K ^2 rather than applying the linear 
transformation. 

The cipher may be formally described by the following equations: 



Bo ■=P 

Bi+l '■= Ri{Bi) 

C := i?32 

where 

R,{X) = LT{S,{X © k,)) i = 0, . . . , 30 
R^{X) = S^{X ® k,) ® k^2 * = 31 
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where Si is the application of the S-box Si mod 8 thirty two times in parallel, and 
LT is the linear transformation. 

The linear transformation is as follows: The 32 bits in each of the output 
words are linearly mixed by 



Xo 
X 2 

Xi 

X 3 
Xi 
X3 
Xo 
X 2 
Xo 
X 2 

Bi+i 

where <<< denotes rotation, and << denotes shift. In the last round, this linear 
transformation is replaced by an additional key mixing: B 32 := Sr{B 3 i © K 31 ) © 

K32- 

3 Differential Attack on 7- and 8-Round Serpent 

In this section we present attacks on 7-round and 8-round Serpent from round 4 
to round 10 (or round 11 in the 8-round variant), i.e., encryption starts with 
S 3 and ends with S 2 {S 3 for the 8-round variant In Appendix [O a 6-round 
differential characteristic between round 4 and round 9 with probability 2“®^ 
is presented. In the rest of this paper we keep the round numbers as in the 
corresponding rounds of Serpent, i.e., from round 4 to round 10, rather than 
from round 0 to round 6. 

We adopt the representation of the differential characteristics using figures 
as in p], but add more data to the figures. The figures describe data blocks by 
rectangles of 4 rows and 32 columns. The rows are the bitsliced 32-bit words, 
and each column is the input to a different S box. The upper line represents 
Xo, the lower line represents A3, and the rightmost column represents the least 
significant bits of the words. A thin arrow represents a probability of 1/8 for 
the specific S box (given the input difference, the output difference is achieved 
with probability 1/8), and a fat arrow stands for probability 1/4. If there is a 

^ Attacks starting from other rounds do not necessarily have the same complexities 
since the S boxes used in the various rounds are different. 



= S^{B^®Ki) 

= Xo <« 13 
= A 2 «< 3 

= Xi © Xq © X2 

= X3®X2®{Xo «3) 

= Ai «< 1 

= A 3 «< 7 

= Aq © Xi © A3 

= A 2 ©A 3 ©(Ai «7) 
= Ao «< 5 
= A 2 «< 22 
= Ao,Ai,A2,A3 
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difference in a bit, the box related to it is filled. Example for our notation can 
be found in Figured in which in the first S box (S box 0; related to bits 0) the 
input difference 1 causes an output difference 3 with probability 1/4, and in S 
box 30 input difference 3 causes an output difference 1 with probability 1/8. 
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Fig. 1. Difference Representation Example 



The attack uses 2 ^^ characteristics with different input differences but the 
same output difference. The 2 ^"^ characteristics differ only in the first round, in 
which they have the same active S boxes with different input differences. All the 
characteristics have the same differences after the first round, and all have the 
same probability 2“®^. The input difference for one of the 6-round characteristics 
is presented in Figure 0 and the common output is presented in Figured (the 
full characteristic is presented in Appendix 




mmm 



Fig. 2. The Input Difference of the 6-Round Differential Characteristic 




The attack requires 2^^ structures of 2®^ chosen plaintexts each. In each 
structure all the inputs to the 19 inactive S boxes in the first round are fixed to 
some (random) value, while the 52 bits of input to the 13 active S boxes receive 
all the 2®^ possible values. In these data structures there are 2^^ • 2^^ = 2®^ 
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pairs for each possible characteristic. Each characteristic has probability 2“®^, 
therefore, we expect that about 2®^ • 2^"* • 2“®® = 2^ pairs satisfy one of the 
characteristics. We call these pairs right pairs. The number of possible pairs in 
each structure is (2®^)^/2 = 2^°®, thus we have 2^°® • 2®^ = 2^®® pairs to consider 
in total. 

Each pair satisfying one of the characteristics has 19 active S boxes in 
round 10, thus any pair with non-zero output difference in one of the remaining 
13 S boxes can be automatically discarded. Thus, about = 2®^ candidates 

for right pairs remain from each structure. 

Moreover, in 3 S boxes only 4 output differences are possible if one of the 
characteristics is satisfied; in 6 S boxes only 6 output differences are possible; 
in 9 S boxes only 7 output differences are possible, and in the remaining S box 
eight output differences are possible. Discarding any pair with a wrong output 
difference using the above filter should keep only a fraction of ‘ ^ ~ 

2 - 26.22 pairs. Thus, only about 2®^ • = 2^^-^® pairs remain for each 

structure. 

For each structure, we check whether the remaining pairs satisfy one of the 2^^ 
possible plaintext differences (corresponding to the 2^^ characteristics). As there 
are about 2®^ possible input differences, only a fraction of about 2“®^ -2^^ = 2“®® 
of the pairs remain at this stage. Thus, the expected number of remaining pairs 
in all the 2®^ structures is 2^'* ’^® • 2“®® • 2®^ = 2^® ’^®. 

For each remaining pair we compute a list of possible whitening subkeys of 
the 19 active S boxes in the last round. For each active S box, each pair suggests 
at most 4 values for the subkey of that S box. Thus, counting on m S boxes 
results in at most 2^®-^® • 4™ = 2^®-^®+2’” hits. The average number of hits (for a 
wrong value) is 2^® ’^®+^'"/2^"‘, which is smaller than 1 for m > 10. On the other 
hand, the correct subkey is counted for each right pair, i.e., about 16 times, and 
thus it can be easily identified when to > 10. Then, we count on the remaining 
9 S boxes and take the only value suggested more than two or three times. Note 
that even if we got more than one possible subkey after counting on 10 S boxes, 
only one of them is expected to remain after this stage. In total we retrieve 76 
subkey bits using at most 2®®'^® one round encryptions and 2^® 4-bit counters. 
We can retrieve 52 additional bits by analyzing the first round as well. 

After we retrieve 128 bits of subkey material we can easily find a 128-bit 
key using linear equations. For 192- and 256-bit keys we can take another set 
of characteristics. The new set includes the original characteristics used in the 
attack rotated one bit to the left, i.e., if we have a difference in the least significant 
bit of Xq in the original characteristics, we have a difference in the second bit 
(bit 1) of Xq in the new set. There is an additional set, in which the rotation is 
by two bits. (Note that rotation by 3 bits does not make good characteristics). 
This way we obtain additional 36 subkey bits from round 4 (as out of the 52 bits 
in the input to the 13 active S boxes there are 16 common bits). This phase of 
the attack is much simpler, as we already know the common 16 subkey bits, and 
can easily discard wrong pairs. We also get 32 additional bits from round 10, 
thus obtaining additional 68 bits (36 from round 4, and 32 from round 10). For 
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192-bit keys, this information is sufficient to recover the key. For 256-bit keys 
we can use other differentials with probability 2“®^ (which are just equivalent 
to the differential we have used with slight modifications in the last round of 
the characteristic) using similar techniques and retrieve the remaining unknown 
bits. 

We conclude that the attack requires 2®® • 2®® = 2®"^ plaintexts for 128-bit 
keys, and twice as much for 192-bit and 256-bit keys. The time complexity of the 
attack is 2®® memory accesses. The memory requirements are 2^® 4-bit counters 
and 2®® cells for a hash table. 

In order to reduce the time of analysis we perform the algorithm in the 
following way: 

1. For each structure: 

(a) Insert all the ciphertexts into a hash table according the 52 ciphertext’s 
bits of the inactive S boxes in the last round. 

(b) For each entry with collision (a pair of ciphertext with equal 52-bit val- 
ues) check whether the plaintexts’ difference (in round 4) is one of the 
2^^ characteristics’ input difference. 

(c) If a pair passes the above test, check whether the difference (in the 76 
bits) can be caused by the output difference of the characteristics. 

(d) If a pair passes also the above test, we add 1 to the counter related to 
the 40 bits of the subkey (as there are 4m subkey bits, and for m = 10 
we get the best results). 

2. Collect all the (few) subkeys whose counter has at least 10 hits. With a high 
probability the correct subkey is in this list (and it is the only one in it). 

3. For each pair suggesting a value in the list, we complete the subkey of the 
other 9 S boxes in round 10, and the 13 S boxes from round 4. As we should 
have only right pairs (with very few additional wrong pairs), and as the right 
pairs agree on the rest of the subkey, we can identify the right subkey by 
intersecting the sets proposed by the various pairs. 

For each structure 2®® memory accesses are performed for the hashing. In the 
hash table about 1/e of the entries are empty, and 1/e of the entries contain only 
one plaintext (and no pairs need to be analyzed). Counting on all the possibilities 
for the number of plaintexts in each entry of the hash table we conclude that 2®^ 
pairs from each structure need to be analyzed. Most of them are discarded by 
the first filter, and about 2^® pairs remain for the second filtering and counting. 
Therefore, we can estimate the work for each structure as the work needed to 
hash all plaintexts and then to look at the hash table afterwards, and to perform 
the search whenever there are more than two plaintexts in one hash entry. The 
number of pairs we expect to check is 2®^ and most of them can be discarded 
almost immediately. We perform about 2®® memory accesses for each structure, 
and the amount of work needed for the whole attack is equivalent to about 
2®® • 2®® = 2®® memory accesses. 
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3.1 8-Round 256-Bit Key Serpent 

One can easily extend our attack to 8 rounds for the 256-bit key variant by 
guessing the subkey of round 11. For each possible value of the subkey of round 11 
we decrypt the last round and use the attack from the previous subsection. 
This way, there is no need to make the extra work of completing the key by 
retrieving other subkeys. The data complexity remains the same 2®^, and the 
time complexity is 2^^® • 2®® = 2^^® memory accesses with 2'*® counters. 

4 The Rectangle Attack 

4.1 Amplified Boomerang Attack 

The main idea of the amplified boomerang attack |0| is to use two short differen- 
tial characteristics instead of one long characteristic. Therefore, this technique 
is very useful when we have good short differential characteristics and very bad 
long ones. 

Let a cipher E : {0, 1}" x {0, 1}^ — )> {0, 1}" be composed of two encryption 
functions Eq and Ei. Thus, E = Ei o Eq. We assume that a good differential 
is not known for E, but for Eq we have a differential characteristic a — >■ /3 
with probability p, and for Ei we have a differential characteristic 7 — > i5 with 
probability q, where pq ^ 2“"/^. 

The basic attack is based on building quartets of plaintexts (a;, y, z, w) which 
satisfy several differential conditions. Assume that x (B y = a: and z (B w = 
a. Each pair has probability p to satisfy the characteristic a — >■ /3 in Eq. We 
denote by x',y',z',w' the encrypted values of x,y,z,w under Eq, respectively 
{x' = Eq{x), . . . ,w' = Eq{w)). We are interested in the cases where x' (By' = /3, 
z (Bw' = 13 and x' © z' = 7, as in these cases y' (Bw' = (x' © /3) © (z' © /3) = 7 as 
well. We receive two pairs for Ei each with input difference 7. When encrypting 
those x',y',z',w' by Ei, in some of the cases the input difference 7 becomes 
<5, and we look for the cases where both differences become x" © z" = 5 and 
y" © z" = (5 after Ei. A quartet satisfying all these differential requirements is 
called a right quartet. An outline of such a quartet is shown in Figure 01 

The question which rises is what is the fraction of the right quartets among 
all the quartets. If we have m pairs with difference a, a fraction of about p 
of them satisfies the characteristic for Eq. Thus, we have about mp pairs with 
output difference (3 in the input to E\, giving about (mp)^/2 quartets consisting 
of two such pairs. Assuming that the intermediate encryption values distribute 
uniformly over all possible values, then with probability 2“" we get x' and z' 
such that x' (B z' = 7, but once this occurs we automatically get another pair 
with input difference 7 (the pairs are (x',z') and {y',w')). Note that x' and w' 
have also a probability 2“" to have a difference x'©z' = 7, thus, given two pairs 
(x', y') and (z', w') we have two ways to use them as a quartet, with probability 
2“"+i. Therefore, we have (mp)^/2 • 2“"+^ quartets which might satisfy our 
requirements. Each of the pairs satisfies the second characteristic for E\ with 
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Fig. 4 . Right Quartet for the Rectangle Attack 



probability q. Thus, starting with m pairs (x,y),{z,w), the expected number of 
right quartets is: 



. 2~n+l . q2 , 2-n ^ ^2 , 2~n . 

Therefore, the distinguisher counts quartets (x,y,z,w) of plaintexts which 
satisfy that x” © z" = y” © w" = 5 . 

For a random permutation (or for a random value of a and 6 ) the expected 
number of quartets is -2“^", as there are possible quartets (there are m^/2 
pairs of pairs, and each pair of pairs can create two quartets e.g., (x, y), (z, w) and 
(x,y), {w, z)). For each pair (x,z) or (y,w) the probability of having a specific 
difference in the output is 2 ~^. Therefore, if pq > 2“"/^, we would count more 
quartets than random noise. This way when m is sufficiently large we can have 
a distinguisher which distinguishes between E and a random cipher. 



4.2 Rectangling the Boomerang 

The first improvement was suggested in [SI7 in which it was observed that instead 
of requiring a specific 7, we can count on all possible 7' values for which 7' — >■ i5 
by El. 



348 



Eli Biham, Orr Dunkelman, and Nathan Keller 



Therefore, the probability Pr^(7 5) = for the pairs and {y',w') 

to have output difference <5 is replaced by the probability X^ani/ 7' ^)> 

and we have about 

/m.Pr(a^/3)\ ^ Pr 2 (Y^< 5) 

' any 7 ' 

quartets satisfying the rectangle conditions. As a result, we might prefer the dif- 
ference x” 0 z” to be some value <5 which has many lower probability characteris- 
tics instead of an optimal <5 with one characteristic with the highest probability. 

Our second improvement is quite similar. Instead of discarding pairs with 
wrong (3 value, we sort the pairs into piles according to the output difference (/3) 
of Eq. For each possible pile we perform the original attack. For each pile we 
have probability y Pr^(7' — >■ 6) to have a quartet at the end. The number 

of pairs in each pile j3' is 

• Pr(a — >■ (3') ^ 

Thus, we have about 

^ /m.Pr(a^/30V2-»+i. ^ = 

any j3' ^ ' any 7 ' 

^2.2-". Fr^{a^/3’)- ^ Pr 2 ( 7 '^h) 

any any 7 ' 

quartets for the second step of the attack. 

Our third improvement is based on the first two. We can take into consider- 
ation more quartets. Assume that for the first pair the difference a causes some 
difference a, and for the second pair a ^ b. Then, we can count also charac- 
teristics for which 7 — > h and 7 © a © 6 — >■ 5. This way the number of quartets 
is 



^ 2 . 2 -'* • ^ 
a,b 



Pr(a — >■ a) Pr(/3 b) ■ ^ Pr(7 — >■ S) Pr(7 © a © 6 — ?> (5) 

7 



Note that this improvement counts all the quartets with plaintext difference 
a and ciphertext difference 5. However, it is very hard to do the exact calculation. 



5 Attacking 10-Round Serpent 

In Section 0 we presented a method to build a distinguisher for a function 
E = E\ o Eq. We now present a method to use the distinguisher to find subkey 
material. 

We attack a 10-round 256-bit key Serpent (round 0 to round 9) using an 
8-round rectangle distinguisher. In this distinguishing attack Eq is rounds 1-4 
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of Serpent, and Ei is rounds 5-8. The basic differential characteristic (a — >■ (3) 
used in rounds 1-4 is also the best known 4-round differential characteristic 
of Serpent. This characteristic and the basic differential characteristic used in 
rounds 5-8 are presented in Appendix IBl a and 6 are presented in Figured and 
Figure 13 respectively. 





Fig. 6. The Output Difference S of the Rectangle Attack 



The first differential has probability of 2“^®. Using the second improve- 
ment and counting on all possible output differences of round 4, we receive 
S/ 3 'Pr^[c^ — >■ f3'] = The second differential has probability of 2“'^’^. Us- 

ing the first improvement and counting on a large set of characteristics (all are 
very similar to the basic one, and have the same last two rounds) we receive 
S 7 'Pi'^[ 7 ^ — )> 5] = 2“®®-®. These probabilities were computed by a computer 
program which scanned characteristics similar to those presented in Appendix B. 

For m = pairs with the difference a of Figure 0 about 2 • ( 2 ^®®-® • 

2-25.4^2^2 = 2200-8 quartets can be formed after the fourth round. The proba- 
bility to get a specific 7 is about 2 “^®®, thus the expected number of quartets 
with a given 7 is about 2 ^®'® quartets. As Pr^[ 7 ' — >■ 5] = 2 “®® ®, the number 
of right quartets is 8 . 

To attack 10-round Serpent (rounds 0-9) we use a similar technique to the 
one used in |S|. We request 2®® ® structures of 2®"^ plaintexts each. The structures 
are chosen so that each structure varies over all the possible inputs to the active 
S boxes in round 1, while the input of the rest of the S boxes is kept fixed (this 
is done by checking which S boxes in round 0 affect the active bits in round 1, 
and trying all the inputs to these S boxes). Using this procedure for choosing 
the plaintexts we get 2 ^^®-® pairs with difference a after round 0 . 

We keep all the plaintexts and their corresponding ciphertexts in a large 
table (whose size is 2^®® ® • 2 • 16 = 2^®^ ® bytes of memory), and keep 2®“^ 4-bit 
counters, where each counter corresponds to one of the possible values of the 84 
bits of the subkeys we search for (64 bits entering 16 S boxes in the first round. 
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and 20 bits entering 5 S boxes in the last round). In order to count the number 
of quartets with the given a and b we perform the following algorithm: 

1. Initialize the counter’s array with O’s. 

2. For each 64-bit subkey value in round 0, for each 20-bit value subkey value 
in round 9, and for each plaintext x\ 

— Partially encrypt x through round 0 in the 16 S boxes and denote the 
value we get by xi. 

~ Calculate xi © a and denote this value by y\. 

— Partially decrypt yi through round 0 in the 16 S boxes, and find the 
corresponding plaintext, which we denote by y (this plaintext y exists 
in our data, due to the way we choose the structures). The value of the 
plaintext bits of y related to the other 16 S boxes is the same as of x. 

— Let x" and y” be the corresponding ciphertexts of x and y respectively, 
then, 

— Partially decrypt through the 5 active S boxes x" and y" , denote the 
value you get by Xg and y'g, respectively. 

— Partially encrypt Xg © b and y'g © b and check whether the corresponding 
ciphertexts exist in our data. If these ciphertexts exist, we check their 
corresponding plaintexts, whether under the guessed 64-bit subkey of 
round 0 we get a difference a. If so, we increase the corresponding counter 
by 1. 

3. Run over all counters, and print the corresponding indices whose counter is 
greater than or equal to 7. 

The inner loop is performed at most 2®'^ • 2^^®-® times, and includes at most 4 
times encrypting 16 S boxes (equivalent to two rounds of Serpent) and 4 times 
decrypting 5 S boxes (equivalent to 5/8 rounds of Serpent). Thus, the time 
complexity of the attack is at most 2®^ • 2^^® ® • 2|/10 ~ 2^°® "^ 10-round Serpent 
encryptions. The time complexity can be reduced by half by building in advance 
an equivalent table in which each entry i contains S'i(S')"^(i) © (5) and use it in 
the last round, and similarly computing a table with Sg^{So{i) ©a) for the first 
round. 



5.1 Reducing Time Requirements 

One can also use the technique of hash tables presented in jSj to reduce the time 
complexity to 2^°® memory accesses, in exchange for increasing the memory 
complexity to 2^®® bytes of RAM. 



6 Summary 



In this paper we presented the best published attack on 10-round 256-bit key 
Serpent. The attack requires 2^^® ® chosen plaintexts, 2^®^-^ time and 2^®^-® bytes 
of RAM. A variant of the attack requires 2^®® time but 2®®® bytes of RAM. 
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We presented a differential attack on 7-round Serpent, which works for all 
key sizes, with data complexity of 2®“^ chosen plaintexts, time complexity of 2®® 
memory accesses and 2®^ memory (blocks of 128-bit). We presented an attack 
on 8-round 256-bit key Serpent requiring 2®“^ chosen plaintexts, 2^^® time and 
2®^ memory (blocks of 128-bit). We summarize these results in Tabled 

We also presented the best known 3-round, 4-round, 5-round and 6-round 
differential characteristics of Serpent, whose probabilities are 2“®®, 2“^®, 2“®'’ 
and 2“®®, respectively. In Tabled we summarize these characteristics and the 
best previously published characteristics. 



Table 1. Summary of Differential Attacks on Serpent with Reduced Numbers of 
Rounds 



Rounds 


Key Size 




Complexity 


Source 






Data 


Time 


Memory 




6 


all 


2“® 




2™ 


13 - Section 3.2 




all 


2"i 


2103 


275 


13 - Section 3.3 




192 & 256 


241 


2163 


245 


13 - Section 3.4 


7 


256 




2^8 


2^6 


13 - Section 3.5 




all 


284 


2®® MA 


252 


This paper 


8 


192 & 256 


-gw 


^33 


gI33 


13 - Section 4.2 




192 & 256 


2110 


2176 


2115 


13 - Section 5.3 




256 


284 


2^1® MA 


284 


This paper 


9 


256 


-giro- 


21^61^ 


bytes 


13 - Section 5.4 


10 


256 




2i^u/.4 


2"®" ® bytes 


This paper 




256 


2126.8 


2205 


2^®® bytes 


This paper 



MA - Memory Accesses 

Memory unit is one block, unless written otherwise 



Table 2. Summary of the Differential Characteristics of Serpent 



Number of Paper 


Starting 


Number of 


Probability 


Rounds 




from 


Active S boxes 




3 


u 


5'5 


7 


g=ro 




This paper* 


52 


7 


2-15 


4 


u 


5i 


14 


2"®® 




m 


5e 


14 


2-34 




This paper 


5i 


13 


2-29 


5 


m 


5i 


38 


2“®® 




da 


55 


24 


2-61 




This paper 


55 


25 


2-60 


6 


E3 


5i 


41 


g=U7 




This paper 


Si 


38 


2-93 



* This is also the upper bound presented in this paper. 
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A A 3-Round Differential Characteristic 

Our 3-round differential characteristic is based on the one found in |^, where a 
3-round differential characteristic with 7 active S boxes and probability 2“^® is 
presented. The characteristic is based on 4 active S boxes in the first round, 1 in 
the second round and 2 in the last round. The problem in finding characteristics 
is not finding the first round’s input and the last round’s output of the S boxes, 
as they can be chosen to have maximal probability. The problem is to have a 
minimal number of active S boxes, which is related to the output of the first 
round (which passes the linear transformation), the second round, and the input 
for the last round (as this determines the number of active S boxes in the last 
round) . 

We start by selecting the differences of the second round in a similar way to 
0. We observe that if we use the second round of the characteristic having S 3 
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instead of Sq and having probability 1/8 in S 3 , we can ensure that all active S 
boxes in rounds 2 and 4 of the cipher (which are the first and third rounds of the 
characteristic, respectively) have probability 1/4, thus having a total probability 

of 2-15. 

The 3-round differential characteristic with probability that we get is 
as follows: In round 2 (or 10 or 18 or any other round having S 2 ) the following 
characteristic holds with probability 2“®: 




After the linear transformation and the application of S3 we get the following 
differential characteristic with probability 2“®: 




After the linear transformation and the application of S'4 we get the following 
differential characteristic with probability 2 ~^: 




During the search for the best characteristic, we exhaustively checked all 
possible 3-round characteristics with 7 active S boxes and found this to be the 
best possible characteristic. As all 3-round characteristics have at least 7 active 
S boxes, and with 8 active S boxes the probability of the characteristic is at 
most 2“^®, this proves that this is the best 3-round differential characteristic of 
Serpent. 
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B A 4-Round Differential Characteristics 



B.l A 4-Round Characteristic for Rounds 1—4 

One option for achieving a minimal number of S boxes (13 according to [P) is to 
have in the second round’s S box S '2 5 — ^ 4 and 4 — > Ax, and in the third round 
to have an active S box S 3 with 4 — > Ax- Of course we would like to maximize 
the probabilities of these entries. 

Checking the S boxes for such instances we found out that the best charac- 
teristic is when the first round of the 4-round characteristic is set at rounds using 
S\. We receive the following 4-round differential characteristic with probability 

2 - 29 ; 

In round 1 (or any other round having Si) the following characteristic holds with 
probability 2“^^- 
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After the linear transformation and the application of S 2 we get the following 
differential characteristic with probability 2“^: 






m 



a 



I p=2' 



After the linear transformation and the application of S 3 we get the following 
differential characteristic with probability 2“^: 




p=2 
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After the linear transformation and the application of ^4 we get the following 
differential characteristic with probability 
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B.2 A 4-Round Characteristics for Rounds 5 8 



This second 4-round differential characteristic is used along with the previous 
one in the attack of Section 5, and has probability of 2“'*^. We use the basic 
characteristic described in GDI, where a 5-round differential characteristic with 
probability 2 “®^ is described. As we need a characteristic of round 5-8, we remove 
the last round and get a 4-round characteristic with probability 2 “"*®. As part of 
our efforts to find higher probability differential characteristics for the amplified 
boomerang attack, we try a technique found very useful in previous attempts: 
we add another active S box in the first round. This might seem a bad thing 
(as this reduces the probability) but we found out that in exchange we get 3 
more entries with probability 1/4 instead of 1/8. Thus, our characteristic has 
probability of 2 ““^^. 

In round 5 (or any other round having S 5 ) the following characteristic holds with 
probability 





After the linear transformation and the application of Se we get the following 
differential characteristic with probability 2 “^®: 




p=2 



-16 
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After the linear transformation and the application of S-j we get the following 
differential characteristic with probability 2“®: 




After the linear transformation and the application of Sq we get the following 
differential characteristic with probability 2~^: 




I 



Note that the last two rounds are the same as in EOI- 



C A 5-Round Differential Characteristic 



As stated in Appendix B, we took a 5-round characteristic from uni, truncated 
it and improved it to have 4-round characteristic. By adding the last round from 
PI| back to the characteristic we get a 5-round characteristic with probability 
2 - 60 . 

Thus, we add after the 4th round of the characteristic from Appendix E 2 I 
the following round, which apply Si, and has probability of 2~^^: 




We have found another 5-round differential characteristic with probability 
2“60, and three more characteristics with probability 2~^^ which are quite similar 
to the this one. 
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D A 6-Round Differential Characteristic 



In order to get the best 6 -round characteristic we can, we add a round before 
the 5-round characteristic from Appendix 0 and alter the first two rounds of it. 

Thus, the 6 -round characteristic starts in a round using S 4 , and has proba- 
bility 2"®3. 



In round 4 (or any other round having iS' 4 ) the following characteristic holds with 
probability 2 “^®: 




After the linear transformation and the application of S 5 we get the following 
differential characteristic with probability 2 “^®: 




After the linear transformation and the application of Sq we get the following 
differential characteristic with probability 2 “^®: 




p=2 



-16 



After this round the characteristic is the same as described for S' 7 , Sq and 
Si in Appendices B.2 and C. 

We observe that there are 2^^ 6 -round characteristics with the same last 5- 
rounds (only the input difference of the first round changes). This follows from 
the fact that in 2 S boxes in the first round we have 8 possible input differences 
with the same probability for the given output differences and in 8 S boxes we 
have two possibilities. 

We also observed that by rotating all the characteristics one bit to the left 
(or two) the characteristics remain valid with the same probability (rotation by 
three or more bits does not work). 



Efficient Amplification of the Security 
of Weak Pseudo-random Function Generators 



Steven Myers 



Department of Computer Science 
University of Toronto 
Toronto, Ontario, Canada 
myersScs . toronto . edu 



Abstract. We show that given a PRFG (pseudo-random function gen- 
erator) G which is --partially secure, the construction <71(2: © ri) © ■ ■ ■ © 
(7iog2 „{x(Briag2 „) produces a strongly secure PRFG, where gt € G and r; 
are strings of random bits. Thus we present the first “natural” construc- 
tion of a (totally secure) PRFG from a partially secure PRFG. Using 
results of Luby and Rackoff, this result also demonstrates how to “nat- 
urally” construct a PRPG from partially secure PRPG. 



1 Introduction 

Cryptographers have noted that the Data Encryption Standard (DES) is effec- 
tively the composition of 16 insecure permutation generators. Because DES has 
withstood much cryptanalysis it is often both considered to be secure (given 
its small key size) and conjectured to be a Pseudo-Random Permutation Gen- 
erator(PRPG). This construction has led some cryptographers to attempt to 
provide evidence that supports the apparent observation that the composition 
of permutation generators can amplify security. 

Following this line of research, Luby and Rackoff |H] defined the notion of a 
partially secure PRPG to be a permutation generator which produces permu- 
tations that cannot be efficiently distinguished from random permutations by 
small circuits with a probability better than for some constant c > 1 . They 
proved that the composition of a constant number of partially secure PRPGs 
results in a partially secure PRPG with stronger security then any of its con- 
stituent components. Unfortunately, Luby and Rackoff’s result did not permit 
the construction of a PRPG from a partially secure PRPG. 

It was known that a partially secure PRPG implied a totally secure PRPG. 
The construction used the following chain of results. It is possible to construct 
a weak one-way function from a partially secure PRPG; then, using pnfTj - 
construct a one-way function; then, using Yao’s XOR Lemma construct a 
Pseudo-random number generator (PRNG); then, using 0 , construct a PRFG; 
and then finally, using [t)ll 2 \ . construct a PRPG. However, this construction is 
obviously neither “natural” nor efficient. 

In this paper we give a natural, efficient and parallelizable construction for 
generating a Pseudo-Random Function Generator(PRFG) from a partially se- 
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cure PRFG. Our proof follows from the ideas of Luby and Rackoff |H|. Further, 
since partially secure PRPG are a special case of partially secure PRFG, we can 
use a partially secure PRPG to construct a PRFG. Then, using a previous result 
by Luby and Rackoff Pj, or more recent work by Naor and Reingold m , we can 
“naturally” and efficiently construct a PRPG from the PRFG. If F = {F"} is a 
“partially secure” pseudo-random function generator, then our construction is 
as follows: 

fi(x © ri) © • • • © /” (x © r^), 

where the /"’s are randomly chosen from F", and the r^’s are randomly chosen 
from {0,1}". The key for this new generator consists of all the keys for the 
functions (/i’s), and all of the strings of random bits (r^’s). 

Our construction is similar to an XOR product, and in this light, our proof 
might be considered an XOR lemma for PRFG. Further support for this this 
view is found in the fact that our proof closely follows that of Levin’s in jjj. 

Given the relatively few number of proofs showing security amplification in 
an unrestricted adversarial model, we think this result will be of interest to those 
researchers interested in security amplification. 

Further, we believe that this result can be viewed as one step in the long 
journey to developing a good theory for the development of block-ciphers. Gur- 
rently, block-ciphers are developed primarily using heuristics, with little theory 
to guide the development of their underlying architecture. Thus, while there are 
no natural examples of partially secure PRFG that the author is aware of, should 
cipher-designers develop efficient function generators which they have reason to 
believe are partially secure, then they can use the construction suggested in this 
paper, and have good reason to believe that the resulting cipher has stronger 
security properties than its constituents. 

For the purposes of example only, suppose block-cipher designers had rea- 
son to believe that an 8-round version of DES was a “partially” secure PRFG0. 
Then designers could have some faith that the suggested construction could be 
used amplify the security of this “partially” secure generator. Further, the paral- 
lelizability of the construction might allow designers to make certain time/space 
trade-offs. For example, the designers might trade-off the time required for more 
rounds of DES, with the circuit size required to implement the above construc- 
tion with a version of DES with fewer rounds. 

1.1 Related Work 

There are very few results in cryptography which demonstrate the amplification 
of security in a general, non-restrictive adversarial model. The first such result 
was Yao’s XOR Lemma m. which now has several proofs (CEl). All of these 
results apply to the security amplification of weak one-way functions and pred- 
icates. In a domain closer to that of PRFG, Luby and Rackoff jH] give a direct 
product lemma for PRPG where the direct product is taken via the composition 
of weak PRPG. Unfortunately, their proof falls short of demonstrating that the 



1 



We use the quotes around “partially” as DES in not an asymptotic notion 
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direct product of a sufficient number of weak PRPG yields a a strongly secure 
PRPG. The reason for this is explained in further detail in the sequel. A direct 
product theorem for PRPG is given by Myers El, where the direct product is 
based on the composition and exclusive-or of PRPG. Unfortunately, this result 
also fails to achieve a strongly secure PRPG for reasons similar to those of jH|. 
Purther complicating the matters with the result in El is the fact that the size 
of the constructed generator is super-polynomial after w(logn) applications of 
the direct product. 

Therefore, our result presents the first efficient and natural direct product 
theorem achieving strongly secure PRPG from weakly secure PRPG in a general 
adversarial model. 

Since Luby and Rackoff proposed their partial security model in 0, cryp- 
tographers have developed other models where it is possible to demonstrate 
some manner of security amplification. Kilian and Rogaway jSl propose a model 
where component permutation generators are replaced with completely random 
permutation generators. Gonstructions using the generators are then analyzed, 
and their security compared to that of a random permutation generator. Note 
that in this model, since the permutation generators are random, attacks can 
only be performed on the construction, and not the underlying component gen- 
erators. Kilian and Rogaway call such attacks generic, as they do not make use 
of the underlying structure of the permutation generator. 

As previously alluded to, under this model Kilian and Rogaway ^ have 
shown that the DESX construction increases the effective key length of DES. 
Also under the same model, Aiello et al. P have shown that the composition 
of multiple random permutation generators results in a permutation generator 
which is more secure than a random generator. 

2 Notation, Definitions &; the Model 

Below we introduce some notation and terminology which will be used in the 
paper. 

Notation 1. For ^,v G {0, 1}*, let v denote their concatenation. 

Notation 2. Let denote the set of all functions f : {0, 1}* — >■ {0, 1}^, 

and let iF" be the set 



Notation 3. For a,/3 G {0,1}", let a (B P denote the bit-by-bit exclusive-or of 
a and /3. For f,g€ iF", let (/ © g){a) denote f{a) © g{a). 

Notation 4. For any set A, let x G A be the action of uniformly at random 
choosing an element x from A. For any distribution T>, let x G T> be the action 
of randomly choosing an element according to T>. 

It will be clear from context when G is used to refer to an element in a set, 
and when it refers to choosing from a distribution. 
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Definition 1. Let &e a sequence of distributions, and let e represent 

a series of events e\, e^, .... such that for all i, Cj is an event of Di. We say that 

e occurs with significant probability if for some constant c > 0 and for infinitely 
many n the Prxi„{en) > We say that an event e occurs with negligible prob- 
ability if, for all constants c > 0 and for all sufficiently large n, Prx>„(e„) < 



2.1 Circuits 

In the definition of each cryptographic primitive there exists the notion of an 
adversary. Abstractly, its purpose is to break an effect that a primitive is trying 
to achieve. Resource bounds are imposed on the adversaries, so that they model 
the computational power “real world” adversaries might feasibly have access to. 
There are two standard computational models which are used to define resource 
bounded adversaries: uniform and non-uniform. In this paper we will consider 
only non-uniform adversaries. 

A non-uniform adversary is a sequence of circuits {Ci,C 2 , ■•■)) where circuit 
Ci is used on inputs of size i. We wish to model efficient computation on the 
part of the adversary, so we assume that the size of each circuit Ci is bounded by 
p{i), for some polynomial p. The size of a circuit is defined to be the number of 
gates, and the number of connections between gates in the circuit. For simplicity 
we assume we have gates for all 16 binary and 4 unary functions. 

In order to model the adversaries of certain primitives, we allow the circuits 
to have access to an oracle. This is modeled by defining oracle gates to be gates 
of unit size which compute a specified function. The gates are otherwise treated 
like normal gates. An oracle function will normally be considered an input to 
the circuit. 

We stress that the description of the circuit family need not be efficiently 
computable, even though each circuit is of small size relative to the size of its 
input . 

Definition 2. Let C he a circuit whose outputs are in the range {0,1}. Then 
we say C is a decision circuit. Let x be an input to C . Then we say C accepts 
X if C{x) = 1, and we say that C rejects x if C{x) = 0. 



Definition 3. We say a circuit C is probabilistic, if it requires as input a se- 
quence of random bits. 



Notation 5. Let T> be a distribution over the inputs of a decision circuit C. 
Then we use as a shorthand Pr^gi; (C((i)) to represent Trdev[C{d) = 1]. 



Definition 4. Let T> he a distribution over the inputs of a decision circuit C. We 
say that C accepts a fraction Prdev{C{d)) of its inputs, and rejects a fraction 
1 — Prd^v{C{d)) of its inputs. 
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Notation 6. We write to represent a circuit C that has oracle gates which 
compute the function f in unit time. We wish to consider these gates as “input” 
to the circuit, and therefore if f is of the form {0,1}” — >■ (0, for a 

polynomial m, then we say that f is part of C’s input and it has size n. 

Notation 7. Let C be a circuit with access to the oracle function f. Then let 
Qc denote the number of oracle gates in C (Note: Q is short for query). 

In the remainder of the paper we shall assume that all circuits are standard- 
ized in the following manner: no circuit will ever repeat oracle queries, and all 
circuits C„ in a circuit family {Cn} will perform exactly m(n) queries, for some 
polynomial m (ie. Qc„ = rn(n)). Any polynomial sized family of circuits can 
easily be modified to satisfy the above two requirements. 



2.2 Function Generators 



Definition 5. We call G : (0, 1}"^ x (0, 1}” — >■ (0, 1}™ a function generator. 
We say that k € {0,1}'* is a key of G, and we write G{k,-) as gk{'), and say 
that key k chooses the function gu. Let g € G represent the act of uniformly at 
random choosing a key k from {0, 1}'*, and then using the key k to choose the 
function gt. 

Let m and I be polynomials, and letAfCN be an infinitely large set. For each 
n G Af, let G" : {0, 1}^(") x {0, 1}" — >■ {0, 1}™(”) be a function generator. 
We call G = {G"|n € A/”} a function generator ensemble. 



In an abuse of notation, we will often refer to both specific function generators 
and function generator ensembles as function generators. We hope it will be clear 
from the context which term is actually being referred to. 

Definition 6 (e-Distinguishing Adversary). Let e : N — [0, 1], and let = 

{P}|i G Z+} and TF = {T>f\i G Z+} be two sequence of distributions over oracle 
gates, where T>1 is a distribution over oracle gates of input size i, for j G {1,2}. 
ff {C'n} is an adversary with occess to oracle gates, then we say it is capable of 
e distinguishing from if, for some polynomial p and infinitely many n: 



Pr [G^i = 1] 

dlgDl L " J 



Pr [G^= = 1] 



> e(n) -I- 



1 

p{n)' 



Definition 7 (Pseudo- Random Function Generator Ensembles). Let m 

and £ be polynomials. For each n let G” : {0, 1}^(”) x {0, 1}" — >■ {0, 1}"*!") be a 
function generator, computable in time bounded by a polynomial in n. Define G = 
{G”|n G N} to be the function generator ensemble. Define T = |n G 

N}. 

We say that G is — e(n)) secure if there exists no adversary {Cn}, bound 
in size to be polynomial in n, which can e distinguish G from T . 

We say that G is a pseudo-random function generator (PRFG) if it is 1 



secure. 
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Definition 8. If G is a 1-secure generator, we say it is strongly secure. If G is 
secure, for some polynomial p, then we say that it is partially secure. If G 
is not partially secure, then we say it is insecure. 



2.3 Previously Known Lemmas 



Below is a well known form of the Chernoff bound. For a proof of this result 
refer to PI or any standard book on probabilistic computation. 

Lemma 1 (Chernoff Bound). Let Xi, .., x„t he i.i.d.r.v. which take the values 
0 or 1 with probabilities q or p = 1 — q respectively. Let Ai„t = ^ Sti Then 
for any k and I, there exists a t such that: 



Pr 







< 



The following lemma is a generalization of standard derandomization proofs 
in the non-uniform computation model. Before stating the lemma, we give the 
following intuition of its statement. Let T>i and T >2 be two distribution over oracle 
functions, and P be a predicate with a domain over functions. Then if C is a 
probabilistic circuit such that approximates P{L>i) and approximates 
P{T> 2 ), then there exists a derandomized version of G which approximates both 
P(Pi) and P{V 2 ). 

Lemma 2 (Derandomization Lemma). Let C’"(r) be a probabilistic oracle- 
circuit, where w is an oracle function, and r is a string of random input bits. 
Let and be two distributions over P", and let R be the distribution over 
C’s random bits. Let P : P" x M — >■ {0, 1} be a predicate. Then, If 



Pr [P(w, C™(r)) = 1] > 1 — p and Pr [P(w, C“’(r)) = 1] > 1 — p, 



then there exists an f € R such that Pr^g^ji [P(rc, (^“(f)) = 1] > 1 — 2p, for 
iG{l,2}. 

Proof. This result is a generalization of standard derandomization techniques 
for non-uniform circuits. The details are left to the full version of the paper. □ 



3 Result 

We will show that there is a “natural” construction which constructs strongly 
secure PRFGs from 1 — (5 secure PRFGs. The construction we present uses 
function generators that generate functions of the form / : {0, 1}" — )> {0, 1}", 
this is done to simplify the presentation. The result can easily be modified to 
generate functions of the form / : {0, 1}" — >■ {0, 1}’"!"), for any polynomial m. 
The construction is based on the operator generator described below. 

Let fi and /2 be two functions such that fi : {0, 1}" — >■ {0, 1}", for i G 
{1, 2}. For each ri, r 2 G {0, 1}" we define the operator O” which acts on the 
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functions /i and /2 and produces a function of type {0, 1}" — >■ {0, 1}” as defined 
below: 

iflOr^.r 2 h)ix) = fl(x © n) © f 2 {x © Ta). 

We define the O operator generator (read Diamond) as O = G 

NAn,r2 G {0,1}"}. 

Before describing the construction, we will formally describe how to combine 
two function generators using the O operator generator. 

Definition 9. Let G = |G" : (0, 1}^(") x (0, 1}" — ?> (0, l}"|n G N} he a function 
generator ensemble. Let H = |H" : {0,1}"^"^ x {0,1}" — >■ {0,l}"|n G N} &e o 
function generator ensemble. Let O be the operator generator defined previously. 
Then let F = {F" : {0, i}^(")+«(")+ 2 -™ ^ |q^ |q^ l}"|n G N} be the function 

generator defined by F"(fci • /c 2 • fca • k^,x) = {g"^^ ^^ 2 ) 'where \k\\ = 

£{n), 1 ^ 2 ! = tt(n) and j/csl = \k 4 \ = n. This is written in shorthand as F = G O FI. 

Similarly, if g : {0,1}" — >■ {0,1}", then we write g <> H as short-hand for 
the function generator defined by F"(fc 2 • k^ • k/^,x) = [g ^k 3 *k 4 ^* 2 ) 'where 
1 ^ 2 ! = Av(n) and [fcaj = |fc 4 | = n. 

3.1 The Construction 

Let p be a polynomial. We construct the generator F from the generator G as 
follows: 

F = GO---OG. 

' V " 

p{n) 

Note that in order to compute a random function /" G F it is sufficient to 
compute 

(pi(a:©ri) © • • • Sp(„)(a; © r„)) , 
where Pi G G and G {0, 1}". 

Observe that the key for F includes p{n) keys for G and p{n) random strings. 
The random strings are necessary for the security amplification, and a counter 
example to our security amplification claims can easily be constructed if they are 
omitted. For further discussion on this construction and several other plausible 
candidates see mi- 

In order to prove the security of the construction we use the Diamond Iso- 
lation Lemma (the name for this lemma comes from the stylistically similar 
Isolation Lemma used by Levin jZ| in proving Yao’s XOR Lemma [El) stated 
below. Intuitively, the lemma shows that the function generator which results 
from the combination of two partially secure function generators by the O oper- 
ator generator is more secure than either of the two constituent generators. The 
majority of the work in this paper goes towards proving this lemma correct. 

Lemma 3 (Diamond Isolation Lemma). There exists a fixed polynomial p 
(which is retrievable form the proof of this lemma) such that the following hold. 
Let e,S : Z — >■ [0, 1] be functions. Let H and G be function generators, where 
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C(;{n) and CH(n) are polynomials which bound from above the size of the circuits 
which compute the function generators respectively. 

Hypothesis: There exists a family of decision- circuits {C„}, where for each n 
the circuit Cn is of size bounded above by the polynomial sc{ri), and for some 
c > 0 and infinitely many n: 



Pr 

geG”OH" 







> e{n)S{n) -\- 



1 



Conclusion: For infinitely many n there exists either a decision- circuit Tn of 
size p{n'^ ■ CQ{n))sc{n) for which: 



Pr (T^) - Pr (T/) 

/igH" 



> e(n) -I- 



n' 



3c’ 



or a decision-circuit of size < {2Qc„CH{n) -\- sc(n)), where Qs„ 
for which: 



Pr ( -9) - Pr (Sl) 
sgG" 



> S{n) 



,2c 



and 



Luby and Rackoff prove a similar lemma in • It shows that the composition 
of two partially secure PRPGs results in a generator which is more secure than 
either of the constituents. Excluding the fact that their lemma is restricted to 
permutation generators instead of function generators, our lemma is stronger in 
two senses. First, the security requirement in the hypothesis is strictly weaker (ie. 
the improvement in security from combining the two generators is stronger in our 
result). Second, the size of the distinguishing circuit for G is only additively larger 
than the distinguishing circuit for GOH. In the Luby and Rackoff construction, 
the distinguishing circuits for G and H are both multiplicatively larger than the 
circuit which distinguishes G o H . It is this second fact that permits us to achieve 
PRFGs in our construction. Furthermore, this proof is simpler than that of Luby 
and Rackoff. Their proof contains a corollary which corresponds to Gorollary 0 
in our proof. However, unlike Gorollary El their corollary is only proven true with 
respect to the computational security of G o H. This restriction is necessary for 
their construction, but increases the difficulty of the proof. We now prove that 
our construction produces a PRFG from a 1 — e secure PRFG. 



Theorem 1 (Diamond Composition Theorem). Let 0 < e < 1 be a con- 
stant. Let G &e o 1 — e secure PRFG. Then for each p G l7(log^ n) fl (u^i(!l(n®)) 
the generator F = GO • — OG is a secure PRFG. 

p[n) 

Proof, (sketch) The intuition for this argument is as follows. We assume that F 
is not secure, and thus there is a family of distinguishing circuits for F. We apply 
the Isolation Lemma to the generator F. The result is either that the generator 
G is not 1 — e secure as claimed, or we have a family of distinguishing circuits 
(slightly larger than the original circuit family) for a generator smaller than F. 
We apply the Isolation Lemma inductively to this smaller generator until we 
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are only left with an e + ^ family of distinguishing circuits for the generator 
G, which contradicts its assumed 1 — e security. The theorem follows. The full 
details are left to the full version of the paper. □ 

Before presenting a proof of the Diamond Isolation Lemma (Lemma Ej) , we 
first present two important technical lemmas. A complete proof of the Diamond 
Isolation Lemma follows. 



3.2 Two Technical Lemmas 

The first lemma and corollary demonstrate that the acceptance probability of an 
oracle-decision-circuit is the same whether the circuit is given an oracle chosen 
uniformly at random from the set of all functions; or given an oracle chosen 
uniformly at random from the set of all functions combined with any specific 
function using the O operator generator. 

Lemma 4. Given any decision- circuit C , for each h G iF" and for each ri,V 2 G 

Pr (C^)= Pr (Cf). 

Proof. First observe that for each r 2 G {0, 1}" the distribution {h'{x © r 2 )\h' G 
Then let g{x) = h{x(Bri), and observe that the distribution g(BiP^ = 
proving the result. 

Corollary 1. Given any decision- circuit C, for each h G iF”.- = 

Pr/e^n(C/). 

The next lemma demonstrates that the probability of acceptance by a poly- 
nomial sized oracle-decision-circuit is “almost” the same whether given access to 
an oracle chosen uniformly at random from the set of all functions; or given an 
oracle chosen randomly from the set of functions specified by combining, via the 
O operator generator, any distribution of functions with “almost” any specific 
function. 



Lemma 5. Let {C„} he a polynomial sized family of decision- circuits. Then for 
every constant c, for sufficiently large n, for each s G .F", for all but of the 
w G F".- 



Pr (C9)- Pr 

gGsOw' /e.7^' 



.(Cl) 



1 

< — . 



Proof, (sketch) Below we outline the high-level ideas behind the proof of the 
lemma. We leave the detailed proof for the full version of the paper. 

In the remainder of this proof sketch, when we say a value has a good approx- 
imation, we imply it approximates the value to within a -additive factor, 
where poly(n) can be any polynomial. Further, when we say an approximation 
is good it is implicit that we mean that it is good with very high probability 
(greater than (1 — for some c > 0). 
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We define an experiment that has a random variable that is a good approx- 
imation to both PrggsOu)(C'®) and Pr^g^n(C^). A direct result is that for most 
w S the value | Pig^sOw{C^) — Pr/gjrn(C^)| is small, and the result follows. 

The major work involved in proving this lemma involves showing that the 
random variable in the experiment approximates both of the aforementioned 
values. 

We define an experiment in which we draw uniformly at random a function 
w G and a set of p{n) keys from {0,1}^" for the O operator, {{kj • kf)}, 
where p is a polynomial. We define the random variable: 



1 

p{n) 



EC" ■ 



2 = 1 



( 1 ) 



It is clear, by the Chernoff bound, that p can be chosen so that (P) is a good 
approximation of Prgg^,<>tu 

In order to demonstrate that © also approximates Pi we show 
that it is a good approximation of a second random variable, which itself closely 
approximates Prygjrn(C^). 

We define a second experiment as choosing uniformly at random q{n) func- 
tions from .7^", where g is a polynomial. We define the second random variable 
as: 



1 

q{n) 




2=1 



(2) 



By the Chernoff bound, for an appropriate q , the random variable o is a good 
approximation for Pr/g;pn(C^). Therefore, it suffices to show that the random 
variable ([[J is a good approximation for Q). 

We show that m and (0 are good approximations of each other by defin- 
ing a third experiment in which both random variables can be calculated. In 
this experiment, with very high probability the random variables are equal, and 
therefore they are good approximations of each other. 

In the third experiment we draw uniformly at random a polynomial (in n) 
number of random strings, {g}, from {0, 1}" and a polynomial number of keys 
from {0, 1}^" for the O operator, {k} • kf}. 

Observe that the random variable © can be calculated in this experiment: 
any call to an oracle-gate during the computation of can be answered with 
a random bit-string rj. (Recall C is of a special form: it never makes the same 
oracle query twice.) 

Unfortunately, it’s not as easy to calculate (PJ in the third experiment. As w 
was chosen at random in the first experiment, for any i we can calculate the value 
replacing the outputs of the oracle gates with random bit-strings. 
Unfortunately, the calculation of © requires the evaluation of for a 

polynomial number of values of i. These evaluations are not independent, and 
therefore the scheme used to calculate 0 is not a valid method for computing 

(IQ. The problem is that during the evaluations of and 
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the respective queries x and y could be made to oracle gates, where x (B k'^ = 
y ®k'l, and in such cases the outputs of the gates are dependent on each other. 
Fortunately, we can show that the probability of such an event occurring is 
negligible and that this is the only case in which we cannot replace the output of 
the oracle gates with random strings to simulate the calculation of O- Therefore, 
with high probability, the values of (P) and are equal in third experiment. 
The lemma follows. □ 



3.3 Proof of the Isolation Lemma 



Assume that there exists a polynomial-sized decision-circuit family {Cn} which 
for some constant c>0 and infinitely many n, |PrggG"OH"(C'®) — Pr/G.F" (Cln) | > 
e{n)6{n) + WLOG we assume that PrggG"OH"(C'®)— Pr/gyrn(C^)>e(n)(5(n)-|- 
as otherwise we can simply flip the output bit of Cn- 

Lemma 6. For j > 0 and for each n let 



Kn{i) 



Pr {Cl) + — and let 
/G.F" n* 






Pr (C®) > Kn{i) 

gGG^\>w 



Then for all i,j: G S'^{i)) < i, for sufficiently large n. 



Proof. Suppose for contradiction that there exists an i and j such that for 
infinitely many n G S'^{i)) > i. We will show this contradicts 

Lemma El We first note that since Pr0gG"OS"(i) (Ct) > Piy^MCi) + then 
by an averaging argument we can fix a S G" such that Pr?iGgoS"(i)(C'n) — 
Pif^yrn[Cl) + i. Then using the first moment method we note that given g, 
there must be a fraction of w G S'^{i) which have the “good” property 
that Pr,^ggOu;(C',f) > Pr/G.F"(C'^) + Since is also a “significant” (i)- 
fraction of iF”, the probability that a random w has the “good” property is 
_^ 2 i+j , and this contradicts Lemma 0 □ 



Lemma 7. Either there exists a family of decision- circuits {^n}, where for each 
n the circuit is of size < Qc'„2cH(n) -\-sc{n); Qs„ = Qc^,’ and for infinitely 



many n: 



Pr - Pr (h£) 
3GG" 



> S{n) -\- 



,2c’ 



or for all sufficiently large n and all G H".' 



Pr (C9)_ Pr (d) 

gGGO/i" /G.7’'" 



< S{n) + i 



Proof. Suppose it is the case that for infinitely many n there exists an /i" G H” 
such that |PrggGO/t”(C'®) — Prf^j7n(C[) \ > S{n)-\~:^. For each such n we create 
a decision circuit where \ We observe that: 
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= I Pj (Ct) - Fr{Cl)\ (Corollarylil) 

> S{n) + 

It is easy to see that C„ can be modified, in a straightforward manner, by 
adding Qc„(C'H(tt) + lOn) gates and wires to compute S'„, while still using Qq„ 
oracle gates. For simplicity of presentation in this paper we have assumed that 
In < Ch(?t,), giving us a circuit of size < sc{n) + ( 5 c„( 2 CH(n)). □ 



Main Argument. We now present the main argument for proving the Diamond 
Isolation Lemma. WLOG, we assume that 



Pr 

gGG"OH" 



{C^n) 



J 



(3) 



if this is not the case flip the output bit of C„. 

We assume that there exists no family of circuits {S'„}, where each circuit 
is of size ch(u) + sc'(n), such that for infinitely many n: 



Pr (S3) - Pr 

gGH" /£.?■" 






From the above assumption and Lemma 0 we know that for all sufficiently 
large n and all h" £ H": 






< 6{n) + 



(4) 



We now outline the argument. By (P|), Cn accepts a fraction of G"OH” which 
is “significantly larger” than e{n)S{n) + Prc^(lF"). However, by ( 0 ), for each 
h £ H" not much more than a S{n) + Prc„(lF") fraction of the functions in 
G'^Oh are accepted by Cn - As Pi' 0 gGOH(C'^) is the expected value of Pi' 0 gGo?i(C'^) 
over the distribution H", it must be the case that Pr 0 gGO/t(C^) is “significantly 
larger” than Pr/gjG"(C^) for at least an e{n) fraction of the h £ H". Given a 
function w our distinguishing circuit will approximate Pr,/,gGOij(G^) and accept 
if it is “significantly larger” than Prjg^n(G^). By the above argument this will 
accept an e(n) fraction of the functions in H" and, by Lemma|S| the same circuit 
will accept almost no random functions in iF". We now give the details of the 
proof outlined above. 

Since we cannot compute Pr 0 gG"Oi.j(G^) in polynomial time, we approximate 
it with the probabilistic circuit A„: 



1 ^ 

i=l 



2 “) 



where gi,...,gnb £ G” and k\, kf, k'^b & {0,1}" are randomly chosen. Let 
K{n) be the length of the key of H", and set (with foresight) a > 1 so that 
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n“ > K(n). Using the Chernoff Bound, b is chosen large enough such that: 



and 



Pr 



Pr 



71“ - Pr (Ci) 

0GG"Ou) 



TlJj - Pr (C^) 



> 



> 



< 



< 



Since we want a deterministic circuit we derandomize An, by Lemma 0, to get 
the circuit Bn, such that for all but of the w € iF": 



and for all of the /i S H”: 



- Pr (C^) 



- Pr (C^) 



< 



-,3c ’ 



< 



1 



n' 



3c ’ 



(5) 



( 6 ) 



since for each k € {0, the probability of picking from H" is at least 

-A— > U- 

2 «(n) 2’^“ ' 

Claim. 

jtis; 2 + ii £ '(") + 

Proof. Assume for contradiction that Pr?igH" [Bn > Pr/GT'" (C'n) + ;^] < e(^) + 
Let KA C H" be the set of functions h S H", for which B!f > Pr/g^r-n {Cl) + 
and let /C" be its complement. 



- ,Pr.(C') = i: 7C*) - ^Pr.(C/)) = si) + 

h^K.^ 

V f f Pr (C^) - Pr (C/)) Pr [fj = h] 

hGK^ 

S (((«;- + = 

?iG/C” 



1 - i 



- ( 






< e{n)5{n) + —. 



(7) 

(8) 



(contradiction) 



(9) 



Amplification of the Security of Weak Pseudo-random Function Generators 371 



Equation © follows from two facts. First, by assumption, the probability that 
a random h S H" is in /C" is 1 — e(n) — Second, for each h G /C", — 

Pr/gjT"(C'£) < Equation (0 follows from two facts. First, by assumption, 
G /C"] < e(n) -I- Second, by (0, for each h G H", Pr,^gGOh(C'^) - 
Pr/gjT"(C'^) < S{n) + :^. Equation 0 contradicts the fact that Pr 0 gGOH(C^) — 
Pr/g^n(C^) > e{n)6{n) + ^. □ 

We create the decision circuit which accepts tc iff > Pryg^n(C^)-!-^. 



Pr (T„^) 



Pr (Tl) 


> 


e(n) 4- 


1 


- Pr 


(P/) 










/£.?■" 








e(n) 4- 


1 


1 








> 






— 








Pr 


Pr (C®) 


> Pr (Cl) + 


1 1 
n'^c ji3c 






e(n) 4- 


1 


1 


1 






> 


r^2c 


n3c 








> 


e(n) 4- 


1 

n3c 


(For sufficiently 


large n) 



(10) 

( 11 ) 



Equation (El follows as approximates PrggG'*Ou;(Cn) 1 ® within a factor 
of ^ for all but of the oj G . Equation ITTl) follows by a direct application 
of Lemma El 

By performing the straightforward construction of T„, we see that there does 
exist a fixed polynomial p mentioned in the statement of the lemma for which 
the size of T„ is bound by p(n° • CG(n))sc(n). □ 



4 Discussion and Further Research 



We have presented a relatively simple and efficient construction for transforming 
a partially secure PRFG into a strongly secure PRFG. We believe this construc- 
tion could possibly be used to guide the development of block-ciphers in the 
future. However, as described in the introduction, the construction may be use- 
ful only in outer layers of the cipher, after a certain minimal amount of security 
has been achieved by other means - possibly by the time proven method of using 
composition. 

Further, as one of the anonymous referees pointed out, it appears possible 
to show in the Kilian Rogaway model |E( that the construction can be used 
to increase the effective key-length of a block-cipher. This would appear to give 
further evidence of the benefit of using the construction in practice. Further, since 
the construction is parallelizable it may be preferable to 3-DES for extending the 
key- lengths of DES. However, since the resulting generator is a function generator 
and not a permutation generator, there will be systems and applications where 
this is an infeasible approach. 
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Abstract. In STOC 2000, Canetti, Goldreich, Goldwasser, and Micali 
put forward the strongest notion of zero-knowledge to date, resettable 
zero-knowledge (RZK) and implemented it in constant rounds in a new 
model, where the verifier simply has a public key registered before any 
interaction with the prover. 

To achieve ultimate round efficiency, we advocate a slightly stronger 
model. Informally, we show that, as long as the honest verifier does not 
use a given public key more than a fixed-polynomial number of times, 
there exist 3-round (which we prove optimal) RZK protocols for all of 
NR 

1 Introduction 

The Notion of Resettable Zero-Knowledge. A zero-knowledge (ZK) 
proof |(1M U,89 |. is a proof that conveys nothing but the verity of a given state- 
ment. As put forward by Canetti, Goldreich, Goldwasser, and Micali |GGGMfin| . 
resettable zero-knowledge (RZK) is the strongest form of zero-knowledge known 
to date. In essence, an RZK proof is a proof that remains ZK even if a polynomial- 
time verifier can force the prover to execute the proof multiple times with the 
same coin tosses. More specifically, 

— The verifier ean reset the prover. In each execution, the verifier can choose 
whether the prover should execute the protocol with a new random tape or 
with one of the tapes previously used. 

— The verifier ean arbitrarily interleave executions. The verifier can always 
start (in particular, in a recursive way) new executions in the middle of old 
ones, and resume the old ones whenever it wants. 

— The prover is oblivious. As far as it is concerned, the prover is always exe- 
cuting a single instance of the protocol. 

Resettable ZK is a strengthening of Dwork, Naor and Sahai’s ;nNS98ij notion 
of concurrent ZK (GZK). In essence, in a GZK protocol, a malicious verifier acts 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 373-1223 2001. 
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as in an RZK protocol, except that it lacks the power of resetting the prover’s 
random tapes. 

Constructing RZK protocols. Perhaps surprisingly, it is possible to im- 
plement such a strong notion: RZK proofs for NP-complete languages are con- 
structed in |CCCM(T(H under standard complexity assumptions. Their construc- 
tion is concretely obtained by properly modifying the CZK protocol of Richard- 
son and Kilian Because this underlying CZK protocol is not constant- 

round, neither is the resulting RZK protocol. (The minimum known number of 
rounds for implementing the protocol of mm is polylogarithmic in the security 
parameter, as shown by Kilian and Petrank lEzoni-) 

Unfortunately, it may not be possible to obtain a constant-round RZK pro- 
tocol: at least in the black-box model, Canetti, Kilian, Petrank and Rosen 
fCKPHOll recently proved that no constant-round protocol exists even for CZK. 
However, also put forward an appealingly simple model, which we 

call the bare public-key (BPK) model, and provide a 5-rounc0 RZK argument 
for any NP language in this model. 

Let us now quickly recall what their model is. 

The Bare Public-Key Model. An interactive proof system in the BPK 
model simply assumes that the verifier V has a public key, PA, that is registered 
before any interaction with the prover begins. No special protocol needs to be 
run to publish PK, and no authority needs to check any property of PK . It 
suffices for PK to be a string known to the prover, and chosen by the verifier 
prior to any interaction with the prover. 

The BPK model is very simple. In fact, it is a weafcer version of the frequently 
used public-key infrastructure (PKI) model, which underlies any public-key cryp- 
tosystem or digital signature scheme. In the PKI case, a secure association be- 
tween a key and its owner is crucial, while in the BPK case no such association 
is required. The single security requirement of the BPK model is that a bounded 
number of keys (chosen beforehand) are “attributable” to a given user0 

We have recently pointed out in iMmni that the BPK model has four distinct 
notions of soundness, depending on the power enjoyed by a malicious prover V*\ 
informally, 

1. one-time soundness, arising when V* is allowed a single interaction with V 
per theorem statement; 

2. sequential soundness, arising when V* is allowed multiple but sequential 
interactions with V; 

^ Their paper actually presents two related constructions: (1) a 4-round protocol 
with an additional 3-round preprocessing stage with a trnsted third party, and (2) 
an 8-round protocol without such preprocessing. Their constructions can be easily 
modified to yield the 5-round protocol attributed above. 

^ Indeed, having a prover P work with an incorrect public key for a verifier V does 
not affect soundness nor resettable zero-knowledgeness; at most, it may affect com- 
pleteness. (Working with an incorrect key may only occur when an active adversary 
is present — in which case, strictly speaking, completeness does not even apply: this 
fragile property only holds when all are honest.) 
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3. concurrent soundness, arising when V* is allowed multiple interleaved inter- 
actions with the same V; and 

4. resettable soundness, arising when V* is allowed to reset V with the same 
random tape and interact with it concurrently. 

As we have already said, the BPK model permits constant-round RZK pro- 
tocols for all of NP. Indeed, the CGGM protocol is 5-round and sequentially 
sound, and we have recently constructed a 4-round one that also is sequentially 
sound |M HOI j . To achieve ultimate round efficiency, we advocate strengthening 
the BPK model a bit. 

The Upperbounded Public-Key Model. How many public keys can a veri- 
fier establish before it interacts with the prover? Glearly, no more than a polyno- 
mial (in the security parameter) number of keys. Though innocent-looking, this 
bound is a source of great power for the BPK model: it allows for the existence 
of constant-round black-box RZK, which is impossible in the standard model. 

How many times can a verifier use a given public key? Of course, at most a 
polynomial (in the security parameter) number of times. Perhaps surprisingly, we 
show that if such an innocent-looking polynomial upperbound U is made explicit 
a priori, then we can further increase the round efficiency of RZK protocols. 

In our upperbounded public-key (UPK) model, the honest verifier is allowed 
to fix a polynomial upperbound, U, on the number of times a public key will be 
used; keep track, via a counter, of how many times the key has been used; and 
refuse to participate once the counter has reached the upperbound. 

Let us now make the following remarks about the UPK model: 

— In the RZK setting, the “strong party” is the verifier (who controls quite 
dramatically the prover’s executions) . Such a strong party, therefore, should 
have no problems in keeping a counter in order to save precious rounds of 
interaction. 

— The UPK model does not assume that the prover knows the current value of 
the verifier’s counter. (Guaranteeing the accuracy of such knowledge would 
de facto require public keys that “change over time.”) 

— While our RZK protocol satisfies interesting efficiency constraints with re- 
spect to U, we believe that these should be considered properties of our 
specific protocol rather than requirements of the UPK model. 

(For instance, our public key length is independent of U, while the secret 
key length and each execution of the protocol depend on U only logarith- 
mically. Only the verifier’s key-generation phase depends linearly on U — a 
dependency that hopefully will be improved by subsequent protocols.) 

— The UPK model is somewhat similar to the one originally envisaged in 

for secure digital signatures, where the signer posts an explicit 
upperbound on the number of signatures he will produce relative to a given 
public key, and keeps track of the number of signatures produced so far. 
(The purpose and use of our upperbound, however, are totally different.) 

— While sufficient for constant-round implementation of the stronger RZK no- 
tion, the UPK model is perhaps simpler than those of [DS98j (which uses 
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“timing assumptions” ) and that of [DamOOj (which uses trusted third parties 
to choose some system parameters) for efficient implementation of CZK. 

3-Round RZK in the UPK Model. Because the powerful RZK notion seems 
to require substantial interaction, it is important to establish how many rounds a 
reasonable model can save. As we have already said, the BPK model can reduce 
the number of rounds to four (HEEq. We show that the UPK model can do 
even better, reducing the number of rounds to the minimum and, at the same 
time, increasing soundness: 

Main Theorem: In the UPK model there exist 3-round eoncurrently sound 
RZK arguments for any language in NP, assuming eollision-resistant hashing 
and the subexponential hardness of discrete logarithm and integer factoriza- 
tion^ 

Round-Optimality of the UPK Model. Our result is optimal (in either 
the UPK or the BPK model), at least for black-box RZK. This fact is evident 
from the following argument. Assume that a 2-round RZK (or even just ZK!) 
protocol (P, V) existed, in the BPK or the UPK model, for a language L ^ BPP. 
Then one could construct from it a 3-round ZK protocol (P', V) by adding an 
initial round in which the verifier sends its public key PK to the prover@ Protocol 
(P', V) would thus contradict the result of [tlK96| . which states that no 3-round, 
black-box ZK proofs or arguments exist for non-trivial languages. 

Necessity of the UPK Model. In the cited USEl, we also show that it is 
impossible in the BPK model to achieve 3-round ZK with concurrent soundness. 
Thus, to achieve 3-round RZK, one needs either to come up with a protocol that 
is sequentially (but not concurrently) sound, or to enhance the model in some 
reasonable fashion. The former approach seems quite elusive, and whether such 
a protocol exists remains an open problem. Our solution is an example of the 
latter approach. 

2 Resettable Zero-Knowledge in the UPK Model 

In this section, we define RZK in the UPK model. Let us refer the reader to the 
original exposition of ICOOIVKJH for motivation and intuition of RZK, which we 
do not provide here due to space constraints. Here we focus on: 

® We can replace the integer factorization assumption with the more general as- 
sumption that subexponentially secure dense public-key cryptosystems jP'Tj'P.nQj and 
subexponentially secure certified trapdoor permutations exist. Or we can 

replace both the DL and the factorization assumptions with the assumption that 
decision DifBe-Hellman is subexponentially hard. 

^ Note that the so constructed {P' , V') will not be RZK (else, being 4-round, it 
would contradict the recent lowerbound of {(JKPRQlj — and indeed even the older 
lowerbound of (KPR98jL However, it will still be ZK. To see this, observe that 
the old black-box simulator, designed to handle very powerful resetting malicious 
verifier (who can choose from among multiple public keys in the public file) can be 
also used with the weaker standard verifier (who simply uses only a single public 
key transmitted in the first message). 
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— RZK arguments (rather than proofs). That is, we assume that the prover is 
polynomial-time and we let soundness hold in a computational (rather than 
probabilistic) sense. Our protocol in Section 0 and the public key protocol 
of [COOMnn] are RZK arguments. 

— Black-hox zero-knowledgeness. That is, we demand that there exist a single 
simulator that works for all malicious verifiers V* (given oracle access to V*). 
This is a stronger notion, and is indeed the one we satisfy in Section ^ 



The Players 

Let 



— A public file F he a, polynomial-size collection of records {id, PK id), where 
id is a string identifying a verifier, and PKid is its (alleged) public key. 

— A prover V (for a language L) he an interactive deterministic polynomial- 
time TM that is given as inputs (1) a security parameter 1", (2) a n-bit 
string X € L, (3) an auxiliary input y, (4) a public file F, (5) a verifier 
identity id, and (6) a random tape u. 

For simplicity of exposition, one can view V as a non-interactive TM that is 
given, as an additional input, the entire history of the messages already ex- 
changed in the interaction, and outputs the next message. Fixing all inputs, 
this view allows one to think of P(l", x, y, F, id, uj) as a simple deterministic 
oracle, which is helpful in defining the notion of RZK below. 

— A U -hounded (honest) verifier V, for a positive polynomial U, be an interac- 
tive polynomial-time TM that, on first input a security parameter 1", works 
in U (n) -b 1 stages, with the ability of keeping state information. In the first 
key generation stage, on input a security parameter 1", V outputs a pub- 
lic key PK and remembers the corresponding secret key SK . In subsequent 
U{n) verification stages, on input an n-bit string x, V performs an interactive 
protocol with a prover. 

— An {s,t) -resetting verifier V*, for any two positive polynomials t and s, be 
a TM that runs in two stages so that, on first input 1", 

1. In stage I, V* receives s(n) values Xi,. . . ,Xs(n) G L of length n each, 
and outputs an arbitrary public file F and a list of s(n) identities 
idi , . . . , ids(^n) • 

2. In stage 2, V* starts in the final configuration of stage 1, is given oracle 
access to s(n)^ provers, and then outputs whatever it desires (in par- 
ticular, it can output its “view” of the interactions, which includes its 
random string). 

3. The total number of steps of V* in both stages is at most t{n). 

— A black-box simulator M he a polynomial-time machine that is given oracle 
access to V*. By this we mean that it can run V* multiple times, each time 
picking V*’s inputs, random tape and (because V* makes oracle queries itself) 
the answers to all of V*’s queries. M is also given s(n) values xi,. . . , Xs{n) G L 
as input. 
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The Definitions 

To define RZK in the UPK model, we must define (1) completeness, (2) sound- 
ness and (3) resettable zero-knowledgeness proper. For lack of space, we omit 
a formal discussion of completeness in the UPK model. (This property is the 
usual one for interactive proofs, except that it has to hold only for the first U{n) 
interactions, and to assume that V gets the correct public key for V.) For the 
same reason, we omit a formal discussion of concurrent soundness, the type of 
soundness actually enjoyed by our protocol and informally specified in our intro- 
duction. (The reader is referred to IMKUll for formal details.) The third notion 
is the same as in [K XKLVKir^ . Nonetheless, we find it useful to recall it below. 

Definition 1. {V, V) is black-box resettable zero-knowledge for an NP-language 
L if there exists a simulator M such that for every pair of positive polynomials 
(s,t), for every {s,t)-resetting verifier V*, for every Xi, . . . ,Xs(n) G L and their 
corresponding NP-witnesses yi, . . . , ys(n), the following probability distributions 
are indistinguishable (in time polynomial in n): 

1. The output ofV* obtained after choosing wi, . . . ,Ws(n) uniformly at random, 
running the first stage ofV* to obtain F, and then letting V* interact in its 
second stage with the following s{n)^ instances ofV: V{xi,yi,F,idk,0Jj) for 
1 < i,j,k < s{n). 

2. The output of M with input x\,. . . ,Xg(jT) interacting with V* . 

3 Tools 

Let us quickly recall the notation, the definitions and the constructions that we 
utilize in our protocol. 



3.1 Probabilistic Notation 

(The following is taken verbatim from IBUMP9T1 and KdMK88| .l If Tl(-) is an 
algorithm, then for any input x, the notation “A^xf^ refers to the probability 
space that assigns to the string a the probability that A, on input x, outputs a. 
If 5” is a probability space, then “x A S” denotes the algorithm which assigns 
to X an element randomly selected according to 5”. If F is a finite set, then the 
notation “x A F” denotes the algorithm that chooses x uniformly from F. 

If p is a predicate, the notation PROB[a; A S;y A T; • • • : p{x, y,- ■ ■)] de- 
notes the probability that p(x, ?/,■••) will be true after the ordered execution of 
the algorithms a: A S'; y A T; • • •. The notation [x A S; y A T; • • • : (x, y, • • •)] 
denotes the probability space over {(x,y, • • •)} generated by the ordered execu- 
tion of the algorithms x A S, y A T, • • • . 
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3.2 Trapdoor Commitment Schemes 

In this section we present trapdoor commitment schemes that are secure against 
subexponentially strong adversaries (satisfying an additional key-verification 
property) 0 

Informally, a trapdoor commitment scheme consists of a quintuple of algo- 
rithms. Algorithm TCGen generates a pair of matching public and secret keys. 
Algorithm TCCom takes two inputs, a value v to be committed to and a public 
key, and outputs a pair, (c, d), of commitment and decommitment values. Algo- 
rithm TCVer takes the public key and c, v, d and checks whether c was indeed a 
commitment to v. 

What makes the commitment computationally binding is that without knowl- 
edge of the secret key, it is computationally hard to come up with a single com- 
mitment c and two different decommitments d± and d 2 for two different values 
vi and V2 such that TCVer would accept both c, vi, di and c, V2,d2- What makes 
it perfectly secret is that the value c yields no information about the value v. 
Moreover, this has to hold even if the public key is chosen adversarially. Thus, 
there has to be an algorithm TCKeyVer that takes a public key as input and ver- 
ifies whether the resulting commitment scheme is indeed perfectly secret. (More 
generally, TCKeyVer can be an interactive protocol between the committer and 
the key generator, rather than an algorithm; however, for our application, the 
more restricted view suffices) . 

Perfect secrecy ensures that, information-theoretically, any commitment c 
can be decommitted arbitrarily: for any given commitment c to a value v\, 
and any value V2, there exists d2 such that TCVer accepts c,V2,d2 and the 
public key (indeed, if for some V2 such d2 did not exist, then c would leak 
information about the actual committed value Ui). The trapdoor property makes 
this assurance computational: knowing the secret key enables one to decommit 
arbitrarily through the use of the TCFake algorithm. 

Definition 2. A Trapdoor Commitment Scheme (TC ) is a quintuple of prob- 
abilistic polynomial-time algorithms TCGen, TCCom, TCVer, TCKeyVer and 
TCFake, such that 

1. Completeness. Vn, Vu, 



PROB[(TC'PA, TCSK) A TCGen(l”) ; (c, d) A TCCom( TCPA, u) .- 
TCKeyVer( TCPK, 1") = TCVer( TCPK , c, v, d) = YES] = 1 



2. Computational Soundness. 3 a > 0 such that for all sufficiently large n and 
for all 2" -gate adversaries ADV 

PROB[ {TCPK, TCSK) A TCGen(l") ; 

(c,ui,U2,di,d2) A ADV(1", TCPA) ; 

TCVer( TCPK, c,vi,di) = YES and 

TCVer( TCPK, c, V 2 , ^2) = YES and vi U2] < 2"’"“ 



We call a the soundness constant. 



® We follow a similar discussion in 



SKCOHlSnil 



almost verbatim. 
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3. Perfect Secrecy. V TCPK such that TCKeyVer( TCPiL, 1") = YES and 
Vvi,V2 of equal length, the following two probability distributions are identi- 
cal: 



[(cijdi) A TCCom( TCPiL, t>i) : ci] and 
[(C2,d2) A TCCom{TCPK,V2) : C2] 

4- Trapdoorness. V (TCPK, TCSK) € {TCGen(l")}, Vvi,V2 of equal length 
the following two probability distributions are identical: 

[ (c,di) A TCCora{TCPK,vi) ; 

d'2 A TCFake( TCPiL, TCSK ,c,v\,di,V2) : (c,c?y ] and 
[ (c, d2) A TCCom( TCPK, V2) : (c, ^ 2 ) ] 

(In particular, the above states that faked commitments are cor- 
rect: indeed, d( A TCFake( TCPK , TCSK , c,Vi,di,V2) implies that 
TCYer{TCPK,c,V2,d')=YFS) 

In this paper, we will also require that the relation {TCPK, TCSK) be 
polynomial-time; this is easy to satisfy by simply including the random string 
used in key generation into the secret key. 

Such commitment schemes can be constructed, in particular, based on a 
subexponentially strong variant of the Discrete Logarithm assumption. We refer 
the reader to (where, in Section 6.1.2, it is called a DL-based “chameleon 

blob”) for the construction. 



3.3 Hash-Based Commitment Schemes 



We also have a need of non-trapdoor, non-interactive, computationally-binding 
commitment schemes (which, unlike trapdoor commitments, need not be se- 
cure against subexponentially strong adversaries) . Because of the absence of the 
trapdoor requirement, these simpler commitment schemes can be implemented 
more efficiently if one replaces perfect secrecy by the essentially equally power- 
ful property of statistical secrecy (i.e., even with infinite time one can get only a 
statistically negligible advantage in distinguishing the commitments of any two 
different values). In particular jl JFFt) 7 IH IVItItij show how to commit to any value 
by just one evaluation of a collision-free hash function H : {0, 1}* — >■ {0, 1}^. To 
differentiate trapdoor commitments from these simpler ones, we shall call them 
hash-based commitments. 

Though the trapdoor property does not hold, we still insist that, given any 
commitment and any value, it is possible in time 2^ to decommit to that value. 



Definition 3 . A Hash-Based Commitment Scheme (AC) is a pair of proba- 
bilistic polynomial-time algorithms HCCom, HCVer, along with the algorithm 
HCFake that runs in time 2^poly when its first input is k and poly is some 
polynomial in the size of its input, such that 
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1. Completeness. Vfc, Vv, 

PROB[(c,d) AHCCom(l^^;) .■ HCVer(l'=, c, d) = YES] = 1 

2. Computational Soundness. For all probabilistic polynomial-time machines 
ADV, and all sufficiently large k, 

PROB[(c,?;i,U 2 ,di,d 2 ) ^ ADV(1'=) .• 

Vi ^ Vi and HCVer(l^, c, Ui, di) = YES = HCVer(l^, c, U 2 , ^ 2 )] 

is negligible in k. 

3. Statistical Secrecy. Vui , V 2 of equal length, the statistical difference between 
the following two probability distribution is negligible in k: 

[(ci,di) A HCCom(l^,ui) : ci] and [( 02 ,^ 2 ) ^ HCCom(l^, U 2 ) : C 2 ] 

4- Breakability. Vui,U 2 of equal length, the statistical difference between the fol- 
lowing two probability distribution is negligible in k: 

[(c, di) A HCCom(l^, ui) ; ^ HCFake(l^, c, ui, di, U 2 ) .'(c, d^)] and 

[(c,d 2 ) AHCCom(l^^; 2 ) .' (c,d 2 )j 

We refer the reader to [IJPPDTpH AUki] for the constructions of such schemes, 
which are based on the assumption that collisions-resistant hash functions exist. 

3.4 Non-interactive Zero-Knowledge Proofs of Knowledge 

Non-interactive zero-knowledge (NIZK) proofs for any language L G NP were 
put forward and exemplified in pBEM88IBDMP9T] . Ordinary ZK proofs rely on 
interaction. NIZK proofs replace interaction with a random shared string, a, 
that enters the view of the verifier that a simulator must reproduce. Whenever 
the security parameter is 1”, cr’s length is NIcrLen(n), where NlaLen is a fixed, 
positive polynomial. 

Let us quickly recall their definition, modified for polynomial-time provers 
and security against subexponentially strong adversaries. 

Definition 4. Let non-interactive prover NIP and non-interactive verifier NIV 
be two probabilistic polynomial-time algorithms, and let NIcrLen be a positive 
polynomial. We say that (NIP, NIV) is a NIZK argument system for an NP- 
language L if 

1. Completeness. \f x G L of length n, a of length NIcrLen(n), and NP-witness 
y for X, 

PROB[7T A NIP(cr, X, y) : NIV(ct, x, 77) = YES] = 1. 

2. Soundness. x ^ L of length n, 

PROB[cr A {0, l}Ni<rLen(n) . g 77 g, 7 NIV(ct, X, 77) = YES] 
is negligible in n. 
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3. Zero-Knowledgeness. 3 a > 0 and a probabilistic polynomial-time simulator 
NIS such that, V sufficiently large n, V x of length n and NP-witness y 
for X, the following two distributions are indistinguishable by any 2" -gate 
adversary: 

[{a', n') A NIS(x) ; (cr', 7T')] and 

[a A {0, l}Ni<^Len(n) . yj ^ NIP(a, X, y) : {a, n)] 

We call a the zero-knowledgeness constant. 

In [DP^ . De Santis and Persiano propose to add a proof of knowledge prop- 
erty to NIZK. Let R C {0, 1}* x {0, 1}* be a polynomial-time relation (i.e., given 
a pair of strings {x,y), it is possible to check in time polynomial in |x| whether 
(x, y) G i?). L be the NP language corresponding to i? (L = {x : 3 y s.t. (x, y) G 
R}). Let (NIP,NIV) be a NIZK proof system for L. An extractor is a proba- 
bilistic polynomial-time TM that runs in two stages: in stage one, on input 1”, 
it outputs a string a of length NlCTLen(n) (and saves any information it wants 
to use in stage two); in stage two, on input x of length n and a proof II for x 
relative to shared string a, it tries to find a witness y for x. 

Definition 5. An NIZK argument (NIP,NIV) is a NIZKPK if there exists an 
extractor NIExt = (NIExti, NIExt 2 ) such that, for all probabilistic polynomial- 
time malicious provers NIP*, for all constants a > 0, for all sufficiently large n 
and for all x, 

PROB [{a, state) = NIExti(I") ; 7T = NIP*(ct,x) ; 

y = NIExt 2 (state, X, 7T) •■(x,y)Gi?]> p„_ 2 ,(I — n““), 

where pn,x =PROB[cr A {0, 1}"; 77 = NIP*(cr,x) .• NIV(cr,x,77) = I], 

The authors of ITTP^ show that NIZKPKs exist for all polynomial-time re- 
lations under the RSA assumption. Furthermore, the results of |UUP()()| (com- 
bined with those of lELShHI l show the same under more general assumptions: 
that dense public-key cryptosystems and certified trapdoor permutations exist. 
They also present constructions secure under the specific assumptions of factor- 
ing Blum integers or decision Difhe-Hellman. Because we need NIZKPKs to be 
secure against subexponentially strong adversaries, we need subexponentially 
strong versions of these assumptions. We refer the reader to these papers for 
details. 



3.5 Additional Basic Tools 



We also use two basic and commonly used tools, whose definitions are recalled in 
the appendix. The first is a Merkle tree jMerSflj , which can be constructed based 
on a collision-resistant hash function. The second is a subexponentially-strong 
pseudorandom function ISM, i.e., one that is secure against adversaries of 
size 2" (such a is called the pseudorandomness constant). It can be constructed 
based on subexponentially strong one-way functions 
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4 Our Construction 

Why the Obvious Solution Does Not Work. Before we begin, let us 
demonstrate that our goal cannot be more easily achieved by the following sim- 
pler construction. 

Let cmax = U{n) be the upperbound on the number of uses of the verifier’s 
public key (i.e., the max value for the verifier’s counter). Take a four-round ZK 
protocol, and have the verifier post cmax independently generated first-round 
messages in its public key. Then execution number c simply uses first-round 
message number c appearing in the public key, and performs the remaining 
three rounds of the protocol as before. 

The above construction does not work, because the prover does not know the 
real value c of the verifier’s counter. This enables a malicious verifier to choose 
the value of c after it sees the prover’s first message. Thus, if such a verifier 
resets the prover while varying c, it will typically gain knowledge. (Typically, in 
a 4-round ZK protocol, the verifier commits to a question without revealing it, 
the prover sends a first message, the verifier asks the question, and the prover 
answers it. However, if the prover were to answer two different questions relative 
to the same first message, then zero-knowledgeness disappears. Now, in the above 
construction, varying c enables the verifier to ask different questions.) 

High-Level Description. As in the CGGM protocol, we use the NP-complete 
language of graph 3-colorability and the parallel repetition of the protocol of 
jC^MWQlj as our starting point. Thus, in the first round, V commits to a number 
of random recolorings of a graph G, in the second round V requests to reveal 
the colors of one edge for each committed recoloring, and in the third round V 
opens the relevant commitments. 

To allow the RZK simulator to work, our protocol uses trapdoor commitment 
schemes as in many prior ZK protocols (e.g., the RZK one of jGGGMHUj . the 
GZK one of |DNSH8j . and the ZK one of |L’S89j l. That is, V’s public key contains 
a key for a trapdoor commitment scheme, and P’s first-round commitments with 
respect to that public key. If the simulator knows the trapdoor, then it can open 
the commitments any way it needs in the the third round. 

To ensure that the simulator knows the trapdoor, the GGGM protocol uses 
a three-round proof-of-knowledge subprotocol, with V proving to V knowledge 
of the trapdoor. This requires V to send two messages to V. Because we have a 
total of only three rounds, we cannot use such a subprotocol — in three rounds 
V only sends one message to V. We therefore use non-interactive ZK proofs of 
knowledge. This, of course, requires V and V to agree on a shared random string 
a. 

It is because of the string a that we cannot use the BPK model directly, and 
have to strengthen it with a counter. Let cmax = U(n) be the bound on the 
number of times public key is used. During key generation, V generates cmax 
random strings <J\., ■ ■ ■ -,(Jcmax, and commits to each one of them using hash- 
based commitments (to make the public key length independent of cmax, the 
resulting commitments are then put into a Merkle tree). In its first message. 
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V sends a fresh random string cr-p, and in its message V decommits < 7 c, where 
c is the current counter value and provides the NIZKPK proof with respect to 

cr = (Tp © (Tc. 

The RZK simulator, after seeing the value of Uc can rewind the verifier and 
choose CTp so that ct = ap © CTc allows it to extract the trapdoor from the 
NIZKPK proof. Of course, there is nothing to prevent a malicious verifier V* 
from choosing a value of c after seeing crp; but because the number of choices 
for V* is only polynomial, the simulator has an inverse polynomial probability 
of guessing c correctly. 

One question still remains unresolved: how to ensure that a malicious verifier 
V* does not ask V multiple different queries for the same recoloring of the graph? 
If V* resets V, then it will get the same committed recolorings in the first round; 
if it can then ask a different set of queries, then it gain a lot of information 
about the coloring of the graph (eventually even recovering the entire coloring) . 
To prevent this, the CGGM protocol makes the verifier commit to its queries 
before it receives any information from V . Our protocol, however, cannot afford 
to do that, because we only have three rounds. Instead, during key generation 
the verifier commits (using hash-based commitments) to a seed PRFKey for 
a pseudorandom function PRF, and adds the commitment to the public key. 
The verifier’s queries are then computed using PKF{PRFKey, •) applied to the 
relevant information received from V in the first round and the counter value c. 
To prove to V that they are indeed computed correctly, the verifier has to include 
in its NIZKPK proofs of knowledge of PRFKey that leads to such queries and 
knowledge of the decommitment to PRFKey. 

A Few More Technical Details. In our protocol, just like in the GGGM 
protocol all probabilistic choices of the prover are generated as a pseudorandom 
function of the input. (This is indeed the first step towards resettability, as it 
reduces the advantages of resetting the prover with the same random tape.) 
Because the prover makes no probabilistic choices in its second step, we do not 
need to include the verifier’s message in the input to the pseudorandom function. 

To ensure soundness and avoid problems with malleability of V’s commit- 
ments, we use complexity leveraging in a way similar to the GGGM protocol. 
That is, and we shall use two polynomially-related security parameters: n for all 
the components except the hash-based commitment scheme HG, and k = rP for 
HG. 

This will ensure that any algorithm that is endowed with a subroutine for 
breaking HG commitments, but is polynomial-time otherwise, is still unable 
(simply by virtue of its running time) of breaking any other of our components. 
This property will be used in our proof of soundness. 

We actually choose the constant e in a particular way. Namely, we shall use 
a trapdoor commitment scheme TG with soundness constant oi, an NIZKPK 
system (NIP,NIV) (for a relation to be specified later) with zero-knowledgeness 
constant a2, and a pseudorandom function PRF with pseudorandomness con- 
stant 03, and set e < min(ai, «2j as)- 

The Full Description. The complete details of V and V are given below. 
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Key Generation Algorithm for V 



System Parameter: 

A polynomial U 
Security Parameter: 

in 

Procedure: 

1. Let cmax = U{n). 

2. Generate random strings ai, , a cmax of length NIcrLen(n) each. 
(Note: to save secret key length, the strings CTc can be generated 
using a pseudorandom function of c, whose short seed can be 
made part of the secret key). 

3. Let k = n'^. 

4. Commit to each Uc using {aComc, uDecomc) ^ HCCom(l*, (Jc). 

5. Combine the values aComc into a single Merkle tree with root R. 
(Note: If the values afs are generated via a PRF to save on secret 
key length then also the values a Come, the resulting Merkle tree, 
etc. can be computed efficiently in space logarithmic in cmax.) 

6. Generate a random string PRFKey of length n. 

7. Commit to the PRFKey using 

{PRFKeyCom, PRFKeyDecom) A HCCom(l", PRFKey). 

8. Generate keys for the trapdoor commitment scheme: 

{TCPK, TCSK) A TCGen(l"). 

Output: 

PK = {R, PRFKeyCom, TCPK) 

SK = {{{ac, cr Become)} eftr , {PRFKey , PRFKeyDecom), TCSK). 



Protocol {V, V) 



Public File: 

A collection F of records {id, P Kid), where PKid is allegedly the 
output of the Key Generation Algorithm above 

Common Inputs: 

A graph G = {V,E), and a security parameter 1” 



V Private Input: 

A valid coloring of G, col : V ^ {0, 1, 2}; V’s id and the file F; 
a random string oj 

V Private Input: 

A secret key SK , a counter value c, and a bound cmax. 

V Step One : 

1. Using the random string w as a seed for PRF, generate 

a sufficiently long “random” string from the input to be used 
in the remaining computation. 
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2. Find PKu in F; let PKid = {R, PRFKeyCom, TCPK) 

(if more than one PK^d exist in F, use the alphabetically first one). 

3. Verify TCPK by invoking TCKeyVer(l", TCPK). 

4. Let a-p be a random string of length NIcrLen(n). 

5. Commit to random recolorings of the G as follows. 

Let 7Ti, . . . , 7T„ be random permutations on {0, 1, 2}. 

For all i (1 < i < n) and v €V, commit to TTi(col{v)) by computing 
{cCorrii^y, cDecorrii y) A TCCom{TCPK ,TTi{col{v))). 

6. If all the verifications hold, send ap and {cComi^y}i<i<n,vev to V. 

V Step One: 

1. Increment c and check that it is no greater than cmax. 

2. For each j {I < j < n), compute a challenge edge Cj G F by 
applying PRF to the counter value c, j and the 
commitments received from V\ 

6j = VKF{PRFKey, co j o {cComi^y}i<i<n,vGv) 

3. Let a = ap ® ac- Compute a NIZKPK proof II using NIP on a 
and the following statement: 

“3 key K for PRF that generated the challenge edges {ej}i<j<„; 

3 decommitment D s. t. HCVer(l"’, PRFKeyCom, K, D) = YES; 

3 secret key S corresponding to the public key TCPK 
(Note: this can computed efficiently because V knows witnesses 
PRFKey for K, PRFKeyDecom for D, and TCSK for S). 

4. Send c, CTc, aCorric together with its authenticating path in 
the Merkle tree, aDecorric, II and {ej}i<j<„ to V. 

V Step Two: 

1. Verify the authenticating path of a Conic in the Merkle tree 

2. Verify that , a c, n Conic, n Become) = YES. 

3. Let cr = CTp © CTc- Verify II using NIV. 

4. If all the verifications hold, for each Cj = (u°, uj) and b G {0, 1}, 

send = n j{col{v^)) and cDecom^ to V. 

V Step Two: 

1. Verify that, for all j {I < j < n), and for all b G {0, 1} 

TCVer(FC'FF, cCom^ yb, c^, cDecom^ yb) = YES. 

2. Verify that for all j {1 < j < n), Cj ^ Cj . 

3. If all the verifications hold, accept. Else reject. 

Theorem 1. (F, V) is a 3-round RZK protocol in the UPK model. 

As usual, completeness is easily verified. We address soundness in Section 
and resettable zero-knowledgeness in Section 14.21 

4.1 Computational Soundness 

Suppose G is a graph that is not 3-colorable, and V* is a circuit of size t < 2^ that 
can make V accept (G, 1") with probability p > 1/2^. Then, we shall construct 
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a small circuit A that receives TCPK as input, and, using V*, will output two 
trapdoor decommitments for the same TC commitment. The size of A will be 
poly(n) - t •2*/poly(p). Thus, A will violate the soundness of TC, because its size 
is less (for a sufficiently large n) than 2” ^ allowed by the soundness property 
of TC (recall in fact that k = n'^ and e < a\). 

A is constructed as follows. It receives as input a public key TCPK for TC 
generated by TCGen(l"). A then generates PK as if it were the public key of 
the specified honest verifier V, using the V’s key generation procedure with the 
exception of step 7, for which it simply uses TCPK . Note that A knows all the 
components of corresponding secret key of V, with the exception of TCSK. A 
selects an identity id and creates a file F to contain the single record (id,PK) 
(or embeds it into a larger such file containing other identities and public keys, 
but honestly generated). 

A will now run V* multiple times with inputs F and id {G and 1" are already 
known to V*), each time with the same random tape. Thus, each time, V* will 
send the same set of strings a-p and {cCorrii^y}i<i<n,vev ■ Our goal, each time, 
is to allow A to respond with a different random set of challenges Wj}i<j<n- 
Then, after an expected number of tries that is inversely polynomial in p, there 
will exist a recoloring i and a node v such that cConii^y has been opened by 
V* in two different ways. That is, there will be a “break” of the commitment 
scheme TC. 

Therefore, all there remains to be shown is how A can ask a different random 
set of challenges, despite the fact that it has committed to V’s PRFKey in PK. 
Recall that honest V executes the protocol at most cmax time, and that the 
current value of V’s counter will be known to P*. If P* has such an overall 
success probability p of proving G 3-colorable, then there exists a value of V’s 
counter for which the success probability of V* is at least p. Let c be such a 
value. Because of R’s non-uniformity, we assume A “knows” c. 

To issue a set of (different) random challenges in response to the same first 
message oiV*, A uses the NIZKPK simulator NIS as follows. First, A selects a 
set of random challenges {e'j}i<j<n- Second, it invokes NIS to obtain a “good 
looking proof” a' and II' for the following statement S: 

S =“3 key K for PRF that generated the challenge edges {e'}i<j<n; 

3 decommitment D s. t. , PRFKeyCom, K, D) = YES; 

3 secret key S corresponding to the public key TCPK 

(Note that E is potentially false, because it may be the case that no such K 
exists at all; we address this below.) Third, A sets t = a' (B up. Fourth, A comes 
up with a decommitment rDecom that decommits uCorric (the commitment to 
the c-th shared string computed during key generation) to r rather than the 
originally committed Uy. This can be done by implementing HCFake by means 
of a (sub)circuit of size poly(fc)2^. Fifth, A sends T,uComc together with its 
authenticating path in the Merkle tree {A knows that path from key generation), 
rDecom, II' and Wj}i<j<n to V* . 

Thus, all that’s left to show is that V* will behave the same way as it would 
for the true verifier V, even though it received random, rather than pseudoran- 
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dom, challenges, together with a faked decommitment and a simulated proof of 
a potentially false statement S. This is done by a properly constructed hybrid 
argument that relies on the zero-knowledgness of (NIP,NIV), the pseudoran- 
domness of PRF and the statistical secrecy and breakability of HC. 

First, note that random {e' cannot be distinguished from pseudoran- 
domly generated {e'}i<j<„ (wihout knowledge of PRFKey): otherwise, we’d 
violate the pseudorandomness of PRF. Moreover, this holds even in the pres- 
ence of PRFKeyCom, because PRFKeyCom is statistically secret, and thus re- 
veals a negligible amount of information about PRFKey. It follows that the 
tuple {PRFKeyCom, ct' , n') cannot be distinguished from the tu- 

ple {PRFKeyCom, {ej}i<j<n, c", F["), where the challenge edges {ej}i<j<n are 
produced by the true PRF with the true committed-to PRFKey, and a",n" 
are produced by NIS. This, in turn, by zero-knowledgeness is indistinguish- 
able from {PRFKeyCom, {ej}i<j<„, cr, il), with the pseudorandomly generated 
{sj}i<j<n, a truly random a and 7T honestly generated by NIP. By a hybrid 
argument, therefore, the tuple {PRFKey is indistinguishable 
from the tuple (PRFiLey, {e' r, 7T'). Of course, if we replace a by the 
pair {a-p,T = cr © a-p) and a' by the pair {ap,Gc = cr © cr-p), the statement 
still holds. Moreover, it holds in the presence of a Come, because the commit- 
ment to (7c is statistically secret (and thus is almost equally as likely to be a 
commitment to r). The authenticating path of a Come in the Merkle tree is 
just a (randomized) function of aCome and root R of the tree, and thus does 
not affect indistinguishability. Finally, note that this indistinguishability holds 
with respect to any distinguishing circuit of size 2^poly(n), because the zero- 
knowledgeness and pseudorandomness constants 02 and are greater than e. 
Therefore, indisntinguishability holds even in the presence of the decommitment 
rDecom or aDecome, because this decommitment can be computed by such a 
circuit from a Come using HCFake. 

4.2 Resettable Zero-Knowledgeness (Sketch) 

Let V* be an (s, t)-resetting verifier. We will show how to construct the simulator 
M as required by Definition 01 Due to lack of space in this extended abstract, 
below we present only the essential points of our construction. 

As alredy proven in usm M flflj . resettability is such a strong capability of a 
malicious verifier, that it has nothing else to gain by interleaving its executions 
with the honest prover. Thus, we can assume that our V* executes with V only 
sequentially. 

Recall that V* runs in two stages. Then M operates as follows. First, M runs 
the first stage of V* to obtain a public file F. Then, for every record {id, PKid) 
in F, M remembers some information (whose meaning will be explained later 
on): 

1. M remembers whether PKi^ is “broken” or not 

2. If PK is broken, M also remembers the value of TCSK 

3. If PKid is not broken, M also remembers a list of tuples {e,ae,GCome) 
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Initially, every PK id in F is marked as not broken, and the list of pairs for each 
record is empty. 

Whenever V* starts a new session for an id that is not broken and whose list 
of pairs is empty, M computes the “first prover message” as follows: it commits 
to arbitrary color values for graph G, and then selects cr-p at random. (Of course, 
if V* dictates that M’s random tape and inputs be equal to those in a prior inter- 
action, M has no choice but to use the same first message as in that interaction.) 
When V* responds with the verifier message, M takes {c,ac,<jComc) from this 
message and adds it to the list of tuples maintained for PKid. M then rewinds 
V* to the beginning of V*’s second stage. 

Whenever V* starts a new session for an id that is not broken but whose list 
of pairs is non-empty, M randomly chooses a tuple (c', Oc' ,<J Conic') from the list 
of tuples for PKid- M then uses the extractor of the non-interactive ZK proof 
of knowledge, NIExti, to obtain a shared string a, and sets ap = cr © Cc'- M 
then commits to arbitrary color values for graph G and sends the commitment 
and CTp as the “first prover message” to V*. When V* responds with the verifier 
message, M compares the counter value c included in this response to the value 
c' from the pair chosen above. 

1. If c = c' , then it must be the case that CTc = (Jc'- (Otherwise, if the commit- 
ment a Conic' previously stored by M is equal to the commitment a Conic 
included in V*’s response, CTc and CTc' have been easily found, so as to violate 
the soundness of HC; and if the aConic yf aCom'c, then a collision has been 
easily found in the Merkle tree). Thus, the string iT, also included in the 
response of V*, is an NIZK proof of knowledge with respect to the string a 
output by NIExti. Therefore, M can use NIExt 2 to extract a witness TCSK 
for the secret key of the commitment scheme. In this case, PKid is marked 
as broken and M remembers TCSK. 

2. If c yf c' , then M has learned a potentially new tuple (c, CTc, aConic), which 
it remembers as its list of pairs for PKid- 

M then rewinds V* to the beginning of V*’s second stage. 

Whenever V* starts a new session for an id that is broken, M can always sim- 
ulate V's behavior because M knows the trapdoor to the commitment scheme. 
Thus, it can commit to arbitrary color values in its first message, and then de- 
commit in its second message so that they look like a valid response to V*’s 
challenge edges. 

The expected running time of M is polynomial, because the expected number 
of rewinds before M breaks a given PKid is polynomial in cmax and inverse 
polynomial in the frequency with which V* uses id. 

It remains to show that V* cannot ask for two different sets of challenge edges 
for the same first message of M (if it could, then, unless M knows the correct 3- 
coloring of the graph, it maybe unable to faithfully simulate the decommitments). 
However, if V* has a non-negligible probability of doing so, then one can build 
a machine ADV to violate the soundness of HC in polynomial time with non- 
negligible probability, as follows. 
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ADV guesses, at random, for what instance of V the machine V* will first 
give two different sets of challenges on the same first message. A also guesses, 
at random, the counter values ci and C2 that V* will use in these two cases. A 
then attempts to find out Uci and by using the same technique as M. A 
then runs the second stage of V* two more times: once to extract a witness K 
for PRFKey and its decommitment D in the first case, and the other to extract 
a witness K' for PRFKey and its decommitment D' in the second case (this 
witness extraction is done the same way as M). K ^ K' and D and D' are valid 
decommitments, which violates soundness of HC. 
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A Merkle Trees 

The description below is almost verbatim from |Mic| . 

Recall that a binary tree is a tree in which every node has at most two 
children, hereafter called the 0-child and the 1-child. A Merkle tree |MerX9| with 
security parameter n is a binary tree whose nodes store values, some of which 
are computed by means of a collision- free hash function H : {0,1}* — >■ {O,!}" 
in a special manner. A leaf node can store any value, but each internal node 
should store a value that is the one-way hash of the concatenation of the values 
in its children. That is, if an internal node has a 0-child storing the value u and 
a 1-child storing a value v, then it stores the value H{u o v). Thus, because H 
produces n-bit outputs, each internal node of a Merkle tree, including the root, 
stores an n-bit value. Except for the root value, each value stored in a node of a 
Merkle tree is said to be a 0-value, if it is stored in a node that is the 0-child of 
its parent, a 1- value otherwise. 

The crucial property of a Merkle tree is that, unless one succeeds in finding a 
collision for H, it is computationally hard to change any value in the tree (and, 
in particular, a value stored in a leaf node) without also changing the root value. 
This property allows a party A to commit to L values, vi, ... ,vl (for simplicity 
assume that L is a power of 2 and let d — log L), by means of a single n-bit value. 
That is, A stores value Vi in the i-th leaf of a full binary tree of depth d, and 
uses a collision-free hash function H to build a Merkle tree, thereby obtaining an 
n-bit value, R, stored in the root. This root value R “implicitly defines” what the 
L original values were. Assume in fact that, as some point in time, A gives R, but 
not the original values, to another party B. Then, whenever, at a later point in 
time, A wants to “prove” to B what the value of, say, Vi was, A may just reveal 
all L original values to B, so that B can recompute the Merkle tree and the 
verify that the newly computed root-value indeed equals R. More interestingly, 
A may “prove” what Vi was by revealing just d -I- 1 (that is, just 1 J- log L) 
values: Vi together with its authenticating path, that is, the values stored in the 
siblings of the nodes along the path from leaf i (included) to the root (excluded), 
wi, . . . ,Wd. Party B verifies the received alleged leaf- value Vi and the received 
alleged authenticating path w\, . . . ,Wd as follows. She sets ui = Vi and, letting 
ii, . . . ,idhe the binary expansion of i, computes the values U 2 , ■ ■ ■ ,Ud as follows: 
if ij = 0, she sets Uj+i = H{wj o uj); else, she sets rtj+i = H{uj o Wj). Finally, 
B checks whether the computed n-bit value Ud equals R. 

B Pseudorandom Functions 

A pseudorandom function family, introduced by Goldreich, Goldwasser and Mi- 
cali IHUM86] is a keyed family of efficiently computable functions, such that a 
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function picked at random from the family is indistinguishable (via oracle access) 
from a truly random function with the same domain and range. More formally, 
let PRF(-, •) : {0, 1}" x {0, 1}* — >■ {0, 1}" be an efficiently computable function. 
Our definition below is quite standard, except that it requires security against 
subexponentially strong adversaries. 

Definition 6. We say that PRF is a pseudorandom function if B a > 0 such 
that for all sufficiently large n and all 2" -gate adversaries ADV, the following 
difference is negligible in n: 

FROB[PRFKey A {0, 1}" .' = 1] - 

PROB[F A ({0, ; ADV^('^ = 1] 

We call a the pseudorandomness constant. 

Pseudorandom functions can be constructed based on a variety of assump- 
tion. We refer the reader to |OOM86I^R,97i (and references therein) for details. 
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Abstract. In this paper we consider the security of block ciphers which 
contain alternate layers of invertible S-boxes and affine mappings (there 
are many popular cryptosystems which use this structure, including the 
winner of the AES competition, Rijndael). We show that a five layer 
scheme with 128 bit plaintexts and 8 bit S-boxes is surprisingly weak 
even when all the S-boxes and affine mappings are key dependent (and 
thus completely unknown to the attacker). We tested the attack with an 
actual implementation, which required just 2^® chosen plaintexts and a 
few seconds on a single PC to find the 2^^ bits of information in all the 
unknown elements of the scheme. 

Keywords: Cryptanalysis, Structural cryptanalysis, block ciphers, sub- 
stitution permutation networks, substitution affine networks, Rijndael. 



1 Introduction 

Structural cryptanalysis is the branch of cryptology which studies the security 
of cryptosystems described by generic block diagrams. It analyses the syntactic 
interaction between the various blocks, but ignores their semantic definition as 
particular functions. Typical examples include meet in the middle attacks on 
double encryptions, the study of various chaining structures, and the properties 
of Feistel structures with a small number of rounds. 

Structural attacks are often weaker than actual attacks on given cryptosys- 
tems, since they cannot exploit particular weaknesses (such as bad differential 
properties or weak avalanche effects) of concrete functions. The flip side of this 
is that they are applicable to large classes of cryptosystems, including those in 
which some of the internal functions are unknown or key dependent. Structural 
attacks often lead to deeper theoretical understanding of fundamental construc- 
tions, and thus they are very useful in establishing general design rules for strong 
cryptosystems. 

The class of block ciphers considered in this paper are product ciphers which 
use alternate layers of invertible S-boxes and affine mappings. This structure 
is a generalization of substitution/permutation networks (in which the affine 
mapping is just a bit permutation), and a special case of Shannon’s encryp- 
tion paradigm which mixes complex local operations (called confusion) with 
simple global operations (called diffusion). There are many examples of substi- 
tution/affine ciphers in the literature, including Rijndael ^ which was recently 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 394-023 2001. 
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selected as the winner of the Advanced Encryption Standard (AES) competi- 
tion. Rijndael is likely to become one of the most important block ciphers in the 
next 20-30 years, and thus there is a great interest in understanding its security 
properties. 

The best non-structural attack on Rijndael (and its predecessor Square 0) 
is based on the square attack which exploits the knowledge of the S-box, the 
simplicity of the key schedule and the relatively slow avalanche of the sparse 
affine mapping (which linearly mixes bytes only along the rows and columns of 
some matrix and adds a subkey to the result). It can break versions with six 
S-box layers and six affine layers (a seventh layer can be added if the attacker is 
willing to guess its 128 bit subkey in a nonpractical attack). 

In our structural attacks we do not know anything about the S-boxes, the 
affine mappings, or the key schedule, since they can all be defined in a com- 
plex key-dependent way. In particular, we have to assume that the avalanche is 
complete after a single layer of an unknown dense affine mapping, and that any 
attempt to guess even a small fraction of the key would require a nonpractical 
amount of time. Consequently, we cannot use the square attack (even though 
we are influenced by some of its underlying ideas) and we have to consider a 
somewhat smaller number of layers. 

In this paper we describe surprisingly efficient structural attacks on substi- 
tution/affine structures with five to seven layers. The main scheme we attack is 
the five layer scheme S' 3 A 2 «S' 2 ^i<S'i (see Figure[U) in which each S layer contains 
k invertible S-boxes which map m bits to m bits, and each A layer contains an 
invertible affine mapping of vectors of n = km bits over GF{2): 



Ai{x) = L^x © Bi 



The only information available to the attacker is the fact that the block cipher 
has this general structure, and the values of k and m. Since all the S-boxes and 
affine mappings are assumed to be different and secret, the effective key length 
of this five layer scheme is 0 : 

log(2™!)3-s + 21og(0.29 • 2”') si 3 • 2™(m - 1.44) • — + 2n^ . 



The new attack is applicable to any choice of m and n, but to simplify the 
analysis we concentrate on the Rijndael-like parameters of m = 8 bit S-boxes 
and n = 128 bit plaintexts. The effective key length of this version is about 
3 • 2^^ • 6.56 + 2^® Ri 113,000 ~ 2^^ bits, and thus exhaustive search or meet 
in the middle attacks are completely impractical. Our attack requires only 2^® 

^ The probability that m randomly chosen linear equations in m unknowns are linearly 
independent over GF{2) is: 



p"* - 1 
V 2"* 





> 0.288788. 



( 1 ) 
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Fig. 1. Five-layer scheme. 



chosen plaintexts and 2^® time to find all the unknown elements. This is quite 
close to the information bound since the 2^® given ciphertexts contain at most 
2^® bits of information about the 2^^ key bits. 

It is important to note that not all the information about the S-boxes and 
the affine mappings can be extracted from the scheme, since there are many 
equivalent keys which yield the same mapping from plaintexts to ciphertexts. 
For example, we can change the order of the various S-boxes in a single layer and 
compensate for it by changing the definition of the adjacent affine mapping. In a 
similar way, we can move the additive constants in the affine mappings into the 
definition of the adjacent S-boxes. Our attack finds an equivalent representation 
of all the elements in the scheme which makes it possible to encrypt and decrypt 
arbitrary texts, but it may be different from the original definition of these 
elements. 

A related structural attack on a five layer substitution/ affine structure was 
recently published by Biham j2]. He attacked the slightly different structure 
A 3 S 2 A 2 S 1 A 1 (with two S-box layers and three affine layers) which was proposed 
by Patarin as a new algebraic public key cryptosystem called 2R. However, in 
Patarin’s scheme the S-boxes are implemented by multivariate quadratic poly- 
nomials, which are non-bijective due to design constraints. The starting point 
of Biham’s attack is the existence of random collisions created by such S-boxes, 
and its time and data complexities were forced by the birthday paradox to be 
at least 2®*^. Biham’s attack is thus inapplicable to substitution/affine structures 
with invertible operations which have no collisions, and has higher complexity 
than our attack. 
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2 The Multiset Attack 

2.1 Multiset Properties 

In this section we develop a calculus of multiset properties, which makes it 
possible to characterize intermediate values deep in the encryption structure 
even though nothing is known about the actual functions in it. Each multi- 
set can be represented as a list of (value, multiplicity) pairs (e.g., the multiset 
{1, 1, 1, 2, 2, 2, 2, 7} can also be represented as (1, 3), (2,4), (7, 1)). The size of the 
multiset is the sum of all its multiplicities (8 in this example). We now define 
several multiset properties: 

Definition 1 A multiset M ofm-bit values has property C (constant) if it con- 
tains an arbitrary number of repetitions of a single value. 

Definition 2 A multiset M ofm-bit values has property P (permutation) if it 
contains exactly once each one of the 2"^ possible values. 

Definition 3 A multiset M of m-bit values has property E (even) if each value 
occurs an even number of times (including no occurrences at all). 

Definition 4 A multiset M of m-bit values has property B (balanced) if the 
XOR of all the values (taken with their multiplicities) is the zero vector O'". 



Definition 5 A multiset M ofm-bit values has property D (dual) if it has either 
property P or property E. 

We will consider now the issue of how the multiset properties defined above are 
transformed by various mappings. In general if a bijective function is applied 
to a multiset we get a new multiset with possibly new values, but the same 
collection of multiplicities. If a non-bijective function is applied to a multiset, 
then the multiplicities of several distinct input values that are mapped to a 
common output value are added. The following observations are easy to prove: 

Lemma 1 1 . Any multiset with either property E or property P ( when m > 1) 

also has property B. 

2. The E and C properties are preserved by arbitrary functions over m-bit 
values. 

3. The P property is preserved by arbitrary bijective functions over m-bit values, 
j. The B property is preserved by an arbitrary linear mapping from m bits to n 

bits when m > 1. It is preserved by arbitrary affine mappings when the size 
of the multiset is even. 

Let us consider now blocks of larger size n = k-m with mixed multiset properties. 
For example, we denote by PC^~^ a multiset with the property that when 
we decompose each n bit value into k consecutive blocks of m contiguous bits, 
A: — 1 of the blocks contain (possibly different) constants across the multiset, and 
the i-th block contains exactly once each one of the 2™ possible m-bit values. 
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Similarly, we denote by a multiset that decomposes into k multisets each 
one of which has property D. This decomposition should be understood not as 
a cross product of k multisets but as a collection of k projections of n bit to 
m bit values. Note that this decomposition operation is usually nonreversible, 
since we lose the order in which the values in the various blocks are combined. 
For example the multiset decomposition 

{0,1,2,3}{1,1,2,2}{1,1,1,1} 

(which has the multiset property PEC for m = 2) can be derived from several dif- 
ferent multisets such as {(Oil), (111), (221), (321)} or {(021), (121), (211), (311)}. 

Let us consider now how these extended multiset properties are transformed 
by layers of S-boxes and affine mappings: 

Lemma 2 1. Property PC^~'‘ is preserved by a layer of arbitrary S-boxes 

provided that the i-th S-box is bijeetive. 

2. Property is transformed into property by a layer of bijeetive S-boxes. 

3. Property is transformed into by an arbitrary linear mapping on n bits, 
and by an arbitrary affine mapping when the size of the multiset is even. 

4 . Property PC^~^ is transformed into property by an arbitrary affine 
mapping when the size of the multiset is even. 

Proof 

The only non-trivial claims are 3 and 4. Let us show why claim 3 holds. Denote 
by 

n 

Vj ~ djiXi 
i=l 

a bit yj at the output of the linear mapping. Property B holds since for each j, 
the sum (mod 2) of yj bits over the 2™ elements of the multiset is zero: 

2 '^ 2 '^ n n 2 '^ 

^ ^ ^ djiXi = ^ dji ^ a:® = 0. 

S — 1 S = 1 i—1 2 = 1 S = 1 

The last expression is zero since by Lemma [fl claim 1, both P and E (and thus 
D) imply the i?-property. The result remains true even when we replace the 
linear mapping by an affine mapping if we XOR the additive constant an even 
number of times. 

Let us now show why claim 4 holds. Any affine mapping over GF(2) can be 
divided into k distinct n to m-bit projections. Since (k — l)m of the input bits 
are constant, we will be interested only in restrictions of these affine mappings 
to new affine mappings that map the i-th block of m bits (the one which has 
the P property) into some other m-bit block in the output: 

y = Ay (x) = Lij ■ x®Bj, j = 1, . . . k. 

Here Ly is an arbitrary m x m (not necessarily invertible) binary matrix and 
Bj G {0, 1}"*. We can again ignore Bj since it is XOR’ed an even number of 
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times. If Lij is invertible over GF{2), then Lij • a; is a 1-1 transform and thus 
Lij ■ X gets all the 2 ™ possible values when x ranges over all the 2 ™ possible 
inputs, so it has property P. 

Thus we are left with the case of non-invertible Lij . Suppose that 



rank{Lij) = r < m. 



The kernel is defined as the set of solutions of the homogeneous linear equa- 
tion Lij ■ X = 0. Let Xq be some solution of the non-homogeneous equation 
Lij ■ X = y. Then all the solutions of the non-homogeneous equation have the 
form Xq O vq, where Vq is any vector from the kernel. The size of the kernel is 
2’”“’’, and thus each y has either no preimages or exactly 2"*“’’ preimages. Since 
r < m by assumption, 2 ’”“’’ is even, and thus the multiset of m-bit results has 
property F. Consequently each block of m bits of the output has either property 
P or property F, and thus the n bit output has property , as claimed. 

2.2 Recovering Layers Si and S 3 . 

The first phase of the attack finds the two outermost layers Si and S 3 , in order 
to “peel them off’ and attack the inner layers. 

Consider a multiset of chosen plaintexts with property PC^~"^ . The key 
observations behind the attack are: 

1. The given multiset is transformed by layer Si into a multiset with property 

LemmaH claim 1. 

2. The multiset is transformed by the affine mapping Ai into a 

multiset with property by Lemma |21 claim 4. 

3. The multiset property is preserved by layer S 2 , and thus the output 

multiset is also D^, by Lemma El claim 2 . 

4. The multiset property is not necessarily preserved by the affine mapping 
A 2 , but the weaker property is preserved. 

5. We can now express the fact that the collection of inputs to each S-box in 
S 3 satisfies property B by a homogeneous linear equation. We will operate 
with m-bit quantities at once as if working over G'P(2"*) (XOR and ADD 
are the same in this field). Variable Zi represents the m-bit input to the 
S-box which produces f as an output (i.e., the variables describe S“^, which 
is well defined since S is invertible), and we use 2"* separate variables for 
each S-box in S 3 . When we are given a collection of actual ciphertexts, we 
can use their m-bit projections as indices to the variables, and equate the 
XOR of the indexed variables to 0™. Different collections of chosen plaintexts 
are likely to generate linear equations with different random looking subsets 
of variables (in which repetitions are cancelled in pairs). When sufficiently 
many linear equations are obtained we can solve the system by Gaussian 
elimination in order to recover all the S-boxes in S 3 in parallel. 

Unfortunately, we cannot get a system of equations with a full rank of 2™. 
Consider the truth table of the inverted S-box as a 2™ x m-bit matrix. Since the 
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S-box is bijective, the columns of this matrix are m linearly independent 2^-bit 
vectors. Any linear combination of the S-box input bits (which are outputs of 
the inverted S-box) is also a possible solution, and thus the solution space must 
have a dimension of at least m. Moreover, since all our equations are XOR’s of 
an even number (2™) of variables, the bit complement of any solution is also a 
solution. Since the system of linear equations has a kernel of dimension at least 
TO-|- 1, there are at most 2"* — m — 1 linearly independent equations in our system. 
When we tested this issue in an actual implementation of the attack for m = 8, 
we always got a linear system of rank 247 in 256 variables, as expected from the 
formula. 

Fortunately, this rank deficiency is not a problem in our attack. When we pick 
any one of the non-zero solutions, we do not get the “true” S~^, but A(S'“^), 
where A is an arbitrary invertible affine mapping over m-bits. By taking the 
inverse we obtain S'(A“^). This is the best we can hope for at this phase, since 
the arbitrarily chosen A~^ can be compensated for when we find A(A2) = 
instead of the “true” affine transform A2, and thus the various solutions are 
simply equivalent keys which represent the same plaintext/ciphertext mapping. 

A single collection of 2"* chosen plaintexts gives rise to one linear equation in 
the 2"* unknowns in each one of the k S-boxes in layer S3. To get 2™ equations, 
we can use 2^™ (2^®) chosen plaintexts of the form {A,u, B,v,C), in which we 
place the P structures u and v at any two block locations, and choose A,B,C 
as arbitrary constants. For each fixed value of u, we get a single equation by 
varying v through all the possible 2™ values. However, we can get an additional 
equation by fixing v and varying u through all the 2™ possible values. Since 
we get 2 • 2™ equations in 2"* unknowns, we can reduce the number of chosen 
plaintexts to | • 2^™ by eliminating the j of the plaintexts in which u and v are 
simultaneously chosen in the top half of their range. The matrix of these (u,v) 
values has a missing top-right quarter, and we get half the equations we need 
from the full rows and half the equations we need from the full columns of this 
“L” shaped matrix. 

Solving each system of linear equations by Gaussian elimination requires 2^"* 
steps, and thus we need k2^'^ steps to find all the S-boxes in S3. For the Rijndael- 
like choice of parameters n = 128, m = 8 and k = 16, we get a very modest time 
complexity of 2^®. 

To find the other external layer Si, we can use the same attack in the reverse 
direction. However, the resultant attack requires both chosen plaintexts and 
chosen ciphertexts. In Section 3 we describe a slightly more complicated attack 
which requires only chosen plaintexts in all its phases. 

2.3 Attacking the Inner Layers ASA 

The second phase of the attack finds the middle three layers. We are left with 
a structure A'2S2A[ - two (possibly modified) affine layers and an S-box layer 
in the middle. In order to recover the affine layers we use Biham’s low rank 
detection technique from |2j . Consider an arbitrary pair of known plaintexts Pi 
and P2 with difference Pi (B P2- With probability fc/2”^, after there will be 
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no difference at the input to one of the k S-boxes in S' 2 . Thus there will also be 
no difference at the output of this S-box. Consider now the set of pairs Pi © Cj, 
P 2 ® Ci for many randomly chosen n-bit constants Ci. Any pair in this set still 
has this property, and thus the set of all the obtained output differences after 
A '2 will have a rank of at most n — m, which is highly unusual for random n 
dimensional vectors. Consequently, we can confirm the desired property of the 
original pair Pi and P 2 by applying this low rank test with about n modifiers 

We want to generate and test pairs with zero input differences at each one 
of the k S-boxes. We choose a pool of t random vectors Pj and another pool 
of n modifiers Ci, and encrypt all the nt combinations Pj © Ci. We have about 
t^/2 possible pairs of Pj’s, each one of them has a probability of fc/2’” to have 
the desired property at one of the S-boxes, and we need about k ■ log{k) random 
successes to cover all the k S-boxes. The critical value of t thus satisfies f^/2 • 
k/2"^ = k ■ log{k) and thus t = ^j2'^+^log{k). For n = 128 m = 8 and fc = 16 we 
get t = 2®-®, and thus the total number of chosen plaintexts we need is nt = 2^^-^, 
which is much smaller than the number we used in the first phase of the attack. 

Now we use linear algebra in order to find the structure of ■ Consider the 
representation of A^ as a set of n vectors Vb, Vi,. . . Vn-i, Vi £ {0, 1}”, where A^ 
transforms an arbitrary binary vector b = bo,bi, . . . 6„_i by producing the linear 
combination: 

n—1 

A'2{b) = ^b,V. 

i=0 

(we can ignore the affine constants viewing them as part of the S-box). From the 
data pool we extract information about k different linear subspaces of dimension 
n — m {= 120). Then we calculate the intersection of any k — 1{= 15) of them. 
This intersection is an m-dimensional linear subspace which is generated by all 
the possible outputs from one of the S-boxes in layer S' 2 , after it is expanded 
from 8 bits to 128 bits by We perform this operation for each S-box and by 
this we find a linear mapping A 2 which is equivalent to the original choice. The 
complexity of this phase is that of Gaussian elimination on a set of 0(n — m) 
equations. 

After finding and discarding A' 2 , we are left with the two layer structure S 2 A^ 
If we need to perform only decryption, we can recover this combined mapping 
by writing formal expressions for each bit, and then solving the linear equations 
with fc2™ (2^^) variables. If we also need to perform encryption this trick will not 
work, since the formal expressions will be huge. However, we can just repeat our 
attack in the reverse direction by using chosen ciphertexts and recover A\ . After 
that we can find the remaining layer S\ with about 2™ known plaintexts. Again 
we will find not the real S-box layer S '2 but the equivalent one which corresponds 
to the modified A\, A 2 that we have found in earlier phases. 

Comment: for one of the mappings we need to know the order of the sub- 
spaces: we can assume arbitrary order of subspaces in A 2 together with arbitrary 
order of S-boxes in S 2 , however at this point the order of subspaces in Ai is no 
longer arbitrary. If after finding A 2 we mount the same attack on S 2 A 1 from 
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the ciphertext direction, we can recover together with the correct ordering 
information. 

The complete attack uses about 2^™ chosen plaintexts (2^®) and about /c2^"* 
(16 • 2^^ = 2^®) steps. We tested the attack with an actual implementation, and 
it always ended successfully after a few seconds of computation on a single PC. 
The attack remains practical even if we increase the size of the plaintexts from 
128 to 1024 bits and replace the 8-bit S-boxes by 16-bit S-boxes, since with these 
parameters the attack requires 2®^ chosen plaintexts and 64 • 2®'®® = 2®^ time. 

3 A Chosen Plaintext Attack on AS AS 

In this section we show how to use a pure chosen plaintext attack, and avoid the 
less realistic chosen plaintext and chosen ciphertext attack. The modified attack 
has the same time and data complexities as the original attack. 

After the first phase of the original attack we are left with a A 2 S 2 A 1 S 1 
structure, since we can recover only one of the two external S-box layers. Since 
the inputs go through the additional S-box layer Si, we can no longer argue 
that for any Ci, Pi © Ci and P 2 © C will have a zero difference at the input to 
some S-box in S 2 whenever Pi and P 2 have this property. We thus have to use 
a more structured set of modifiers which can be nonzero only at the inputs to 
the S-boxes in which Pi and P 2 are identical. 

For the sake of simplicity, we consider in this section only the standard pa- 
rameters. We use 2®® chosen plaintexts with the multiset property PPC^~^ (the 
two P’s could be placed anywhere, and we could reuse the chosen plaintexts 
from the first phase of the attack). There are 2®® different ways to choose a pair 
of values from the first P. For each such pair ( 01 , 02 ), we generate a group of 
2® pairs of extensions of the form (oi, &o, c,d , . . .) and ( 02 , bo, c,d ,.. .) where bo 
is any common element from the second P, and c,d, . . . are the constants from 
We claim that all these 2® pairs will have the same difference at the output 
of S'!, since the first S-box gets a fixed pair of values and the other S-boxes get 
identical inputs in each pair. We can now apply the low rank test since we have 
sufficiently many choices of (oi, 02 ) to get a zero difference at the input to each 
S-box in S 2 with high probability, and for any such (oi, 02 ) we have sufficiently 
many pairs with the same difference in order to reliably test the rank of the out- 
put vectors. Once we discover the partition of the output space into 16 different 
linear subspaces of dimension 120, we can again find the intersection of any 15 
of them in order to find the 8 dimensional subspace generated by the outputs of 
each one of the 16 S-boxes. We fix A '2 by choosing any set of 8 arbitrary spanning 
vectors in each one of the 16 subspaces, and this is the best we can possibly do 
in order to characterize A '2 due to the existence of equivalent keys. 

One possible problem with this compact collection of plaintexts is that the 
attack may fail for certain degenerate choices of affine mappings. For example, if 
both Ai and A 2 are the identity mapping, the insufficiently mixed intermediate 
values always lead to very low output ranks. However, the attack was always 
successful when tested with randomly chosen affine mappings. 
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After peeling off the computed A' 2 , we are now left with a S 2 A 1 S 1 structure, 
which is different from the A' 2 S 2 A'^ structure we faced in the original attack. 
We have already discovered in the previous part of the attack many groups of 
256 pairs of plaintexts, where in each group we know that the XOR of each 
pair of inputs to any particular S-box in S '2 is the same constant. We do not 
know the value of this constant, but we can express this property as a chain of 
homogeneous linear equations in terms of the values of the inverse S-box, which 
are indexed by the known outputs from the S 2 A 1 S 1 structure. A typical example 
of the equations generated from one group is 

S~\l) © S~^{72) = S~\255) © = 5-1(167) © 5-i(217) = . . . 

If we need additional equations, we simply use another one of the 2^^ possible 
groups of pairs, which yields a different chain of equations (with a different un- 
known constant). Note that these sparse linear equations are completely different 
from the dense equations we got in the first phase of the attack, which expressed 
the B property by equating the XOR’s of various random looking subsets of 256 
variables to O’”. 

We are finally left with a simple A'lSi structure. It can be attacked in a 
variety of ways, which are left as an exersise for the reader. 



Comments: 

— The attack works in exactly the same way if the affine mappings are over 
finite fields with even characteristic. In particular, it can be applied to 
Rijndael-like schemes in which the affine transforms are over GF{2^). 

— The attack can be extended to the case where S 2 contains arbitrary random 
(not necessarily bijective) S-boxes with a small penalty in the number of 
chosen plaintexts. Direct application of our attack will not work, since the P 
property at the input to some S-box in layer S 2 may not result in a balanced 
output after S 2 if this particular S-box is non-bijective. In order to overcome 
this dificulty we can work with double-sized 2m-bit S-boxes at layer S\. 
We consider a projection mapping PTl from 2m to m bits (in the affine 
mapping A\) which necessarily has a non-zero kernel (and thus always has 
the E property which is preserved even by non-bijective S-boxes, and not 
the P property which is not preserved by non-bijective S-boxes) . The attack 
works in exactly the same way with the exception that we pay a factor of 
2’" in data and in the process of equation preparation (now each equation is 
the XOR of 2^’” variables instead of 2’”). The total complexity of the attack 
becomes 2^’” chosen plaintexts and fc2^’” steps. 

— We can attack the scheme even if a sparse linear mapping (a bit permutation 
or a mapping that mixes small sets of bits like the Serpent mappings) is 
added to the the input. The attack works as long as we can guess columns 
of the linear mapping that correspond to the inputs of one particular S-box 
in S\. If we add an initial bit permutation with the standard parameters, 
we can guess which 8 plaintext bits enter this S-box, and construct the 
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Ci-i pc^-i structure we need to get each linear equation with just this 
knowledge. Note that to generate the P property we can choose these 8 bits 
in an unordered way, and to generate the other property we don’t care 

about the destination of the other bits under the bit permutation, and thus 
the number of cases we have to consider is at most (^g®) ~ 2"^°. By increasing 
the time complexity of the attack by this number, we get a (barely practical) 
attack on this six layer scheme. By symmetry, we can also attack the scheme 
in which the additional bit permutation layer is added at the end, and with a 
somewhat higher complexity we can attack the seven layer scheme in which 
we add unknown bit permutations both at the beginning and at the end of 
the scheme. It is an open problem whether we can attack with reasonable 
complexity six layer schemes with a general affine mapping added either at 
the beggining or at the end. 

— We can attack the scheme even if the S-boxes have inputs of different sizes 
which are unknown to the attacker, since this information will be revealed 
by rank analysis. 

— We can attack modified schemes which have various types of feedback con- 
nections between the S-boxes in the first and last rounds (see Figure |21 for 
one example). The idea is that we still have some control over multisets 
in such construction: We can cause the rightmost S-box to run through all 
the possible inputs (if the XORed feedback is a constant) and thus can force 
multisets to have the C^~^P property after Si even when the indicated feed- 
back connections are added. The extraction of the S-boxes in the last layer 
S 3 has to be carried out sequentially from right to left, in order to take into 
account the effect of the feedbacks at the bottom. 

— The attack stops working if S 3 contains non-bijective S-boxes. One can es- 
timate the sizes of the equivalence (collision) classes of the outputs of the 
particular S-box. However even writing the linear equations does not seem 
possible: If we get the same output value twice in our structure, we cannot 
tell which variables should be used as the input of the S-box in each case. 
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Abstract. Bent functions have maximal minimum distance to the set 
of affine functions. In other words, they achieve the maximal minimum 
distance to all the coordinate functions of affine monomials. In this paper 
we introduce a new class of bent functions which we call hyper-bent func- 
tions. Functions within this class achieve the maximal minimum distance 
to all the coordinate functions of all bijective monomials. We provide an 
explicit construction for such functions. We also extend our results to 
vectorial hyper-bent functions. 

Key words. Boolean functions, bent functions, hyper-bent functions, 
nonlinearity. 



1 Introduction 

Nonlinearity m is a crucial requirement for the Substitution boxes (S-boxes) 
in secure block ciphers. The success of linear cryptanalysis m depends on how 
well the S-boxes functions can be approximated by an affine function. Highly 
nonlinear functions provide good resistant towards linear cryptanalysis. On the 
other hand, even such functions can be attacked by higher order differential 
cryptanalysis m m if they have a low algebraic degree. From the view point 
of polynomials, Jakobsen and Knudsen m introduced the interpolation attack 
on block ciphers. This attack is useful for attacking ciphers using simple alge- 
braic functions as S-boxes. In H31 Jakobsen extended this cryptanalysis method 
to attack block ciphers with probabilistic nonlinear relation of low degree. The 
complexity of both attacks depends on the degree of the polynomial approxima- 
tion and/or on the number of terms in the polynomial approximation expression. 
Along the same line of research, Gong and Golomb m introduced a new crite- 
rion for the S-box design. By showing that many block ciphers can be viewed as 
a non linear feedback shift register with input, Gong and Golomb proposed that 
S-boxes should not be approximated by a bijective monomial. The reason is that, 
for gcd{c, 2" — 1) = 1, the trace functions Tr(Qx^) and Tr{Xx),x € GF(2"), are 
both m-sequences with the same linear span. 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 40fi- BTol 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 
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For boolean functions with even number of input variables, bent functions achieve 
the maximal minimum distance to the set of affine functions. In other words, 
they achieve the maximal minimum distance to all the coordinate functions 
of affine monomials (I.e., functions in the form Tr(Xx) + e) ). However, this 
doesn’t guarantee that such bent functions cannot be approximated by the co- 
ordinate functions of bijective monomials (I.e., functions in the form Tr{Xx‘^) + 
e, gcd{c, 2" — 1) = 1). For example, 120 bent functions out of the 896 bent func- 
tions with 4 input variables, have a minimum Hamming distance distance of 2 
from the coordinate functions of the monomial x'^ and their complements. 

A natural question is whether there exists a class of functions that have the 
same distance to all the coordinate functions of all bijective monomials. In this 
paper we give an affirmative answer to this question and provide an explicit 
construction method for such functions. Functions obtained by our construction 
also achieve the maximum algebraic normal form degree. We also extend our 
results to vectorial boolean functions. 

We conclude this section by the notation and concepts which will be used 
throughout the paper. For the theory of shift register sequences and finite fields, 
the reader is referred to PI, uni. 

- K=GF{2‘^^). 

- E= GF(2"). 

- F = GF’(2). 

- a a primitive element of K. 

- Tr^{x), M\N, represents the trace function from F 2 N to F 2 M, i.e., TrZix) = 
X + x'^ + ■ ■ ■ + x‘^‘ ^ where q = 2^ and I = N/M. If M = 1 and the context 
is clear, we write it as Tr{x). 

- a = {ui}, a binary sequence with period s|2^" — 1. Sometimes, we also use 
a vector of dimension s to represent a sequence with period s. I.e., we also 
write a = (oq, oi, • • • , a^-i). 

- Per(b), the least period of a sequence b. 

- wt(s): the number of I’s in one period of the sequence s or the number of 
I’s in the set of images of the function s(a;) : GF(2™) — )> GF(2). This is the 
so-called the Hamming weight of s whether s is a periodic binary sequence 
or a function from GF(2’”) to GF{2). 

2 Preliminaries 

There exists a 1-1 correspondence among the set of binary sequences with period 
to| 2^ — 1, the set of polynomial functions from GF{2^) to GF{2) and the set of 
Boolean functions in N variables through the trace representation of sequences. 
However, these connections are scattered in the literature. In this section, we 
will put this 1-1 correspondence together. 
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B. 1-1 Correspondence Among Periodic Sequences, Polynomial Functions 
and Boolean Functions 

Let 

— 5 be the set of all binary sequences with period r\2^ — 1, 

— J-, the set of all (polynomial) functions from GF{2^) to GF{2), and 

— B the set of all Boolean functions in N variables. 

There is a 1-1 correspondence among these three sets: 
which we will explain as follows. 



Bl. 1-1 Correspondence Between S and T 

Without loss of generality, assume that /(O) = 0. Any non-zero function 
/(a:) G T can be represented as 

S 

fix) = (1) 

where is a coset leader of a cyclotomic coset modulo 2^ — 1, and mt^\N is the 
size of the cyclotomic coset containing ti. For any sequence a = {oi} G S, there 
exists f{x) G T such that 



= /(«*),* = 0 , 1 , - • • , 

where a is a primitive element of K. fix) is called the trace representation of a. 
( a is also referred to as an s-term sequence.) If fix) is any function from K to 
F, by evaluating /(a*), we get a sequence over F with period dividing 2^ — 1. 
Thus 

S-a^fix) (2) 

is a one-to-one correspondence between T and S through the trace representation 
in m . We say that fix) is the trace representation of a and a is the evaluation of 
fix) at a. In this paper, we also use the notation a o fix) to represent the fact 
that fix) is the trace representation of a. The set consisting of the exponents 
that appear in the trace terms of fix) is said to be the null spectrum set of fix) 
or a. 

If s = 1, i.e., 

ai = Tr^iPa^),i = 0, 1, • • • , /3 G K*, 

then a is an m-sequence over F of period 2^^ — 1 of degree N . (For a detailed 
treatment of the trace representation of sequences, see mi-) 
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B2. 1-1 Correspondence between T and B 



Let {ai, ■ ■ ■ ajv} be a basis of K/F and let a be a primitive element of K. 
For a; G K we can represent x as 

X = xotto + xiai -\ -b XN-ictN-i,Xi S F. 



Thus we have 



i.e., 



N-l 



fix) = /( X! = 9{xo, ■■■ , XN-l), 

i^O 

■■ fix) gixo, - ■ ■ ,XN-i) 



( 3 ) 



is a bijective map from T to B. On the other hand, from the Lagrange interpo- 
lation m, for a given Boolean function gixo, ■ ■ ■ ,xn-i) G B, we can determine 
its polynomial representation f{x) as follows 



fix) 



2"-l 

dix\ 

2=0 



( 4 ) 



where 

igixo, ■■■, xn-i) - giO, ■■■, 0))a;“*, 

where x = Xiai. Thus (0 gives a bijective map from B to which is the 

inverse of (0. The correspondence among S, T and B is shown in Figure E 




Sequences 



Polynomial 

functions 




Boolean 

functions 



Fig. 1. Correspondence among 5, T and B 



From the above diagram, we have a 1-1 correspondence between 5, the set 
of all binary sequences with period dividing 2^^ — 1, and B, the set of Boolean 
functions in TV variables. 
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3 Extended Transform Domain Analysis 
for Boolean Functions 

The Hadamard transform of / : E — >■ F is defined by Q 

/(A) = A e E. (5) 

The Hadamard transform spectrum of / exhibits the nonlinearity of /. More 
precisely, the nonlinearity of / is given by 

lVL(/) = 2"-i-iinax|/(A)|. 

Zi Afclcj 

I.e., the absolute value of /(A) reflects the difference between agreements and 
disagreements of f{x) and the linear function Tr{\x). Only Bent functions j23j 
have a constant spectrum of their Hadamard transform. Gong and Golomb PH 
showed that many block ciphers can be viewed as a non linear feedback shift 
register with input. In the analysis of shift register sequences 0, all m-sequences 
are equivalent under the decimation operation on elements in a sequence. The 
same idea can be used to approximate boolean functions, i.e., we can use mono- 
mial functions instead of linear functions to approximate Boolean functions. In 
other words, for gcd{c,n — l) = I, the trace functions Tr{Qx'^) and Tr{Xx) have 
the same linear span. From the view point of m-sequences, both of the sequences 
{Tr(^Q!“)}i>o and {Tr(Aa®)}i>o Eire m-sequences of period 2" — I. The former 
can be obtained from the later by decimation c. Gong and Golomb PH intro- 
duced the concept of extended Hadamard transform (EHT) for a function from 
E to E. The extended Hadamard transform is defined as follows. 

Definition 1. Let f(x) he a function from E to F. Let 

= ( 6 ) 

a:GlK 

where A G E and c is a coset leader modulo 2” — 1 co-prime to 2" — 1. Then we 
call /(A, c) an extended Hadamard transform of the function f . 

Notice that the Hadamard transform of /, defined by o, is /(A, 1). The numer- 
ical results in PH show that, for all the coordinate functions /i, i = 1, • • • , 32 of 
the DES s-boxes, the distribution of /i(A,c) in A is invariant for all c. 

Thus a new generalized nonlinearity measure can be defined as 

iVLG(/) = 2"-i - i max |/(A,c)|. 

2 A e E, 

c : gcd{c, 2" - 1) = 1 

This leads to a new criterion for the design of Boolean functions used in 
conventional cryptosystems. The EHT of Boolean functions should not have any 
large component. 

Throughout the rest of the paper, we consider functions with even number 
of input variables. 
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4 Construction for Hyper-bent Functions 



In this section we introduce a new class of functions which have a constant EHT 
spectrum. A binary function / : K — >■ F is said to be hyper-bent if and only if 
the EHT of /, 

/(A,c) = ^(-l)^AAx“)-t/(x) ^ ±2" 

for all A G K and for all c, gcd(c, 2^" — 1) = 1. Clearly a hyper-bent function 
must be bent. 

Let b = {bj}j>o be a binary sequence with period 2" -|- 1. In the following, 
first we will give the criterion such that g{x) O b, g(0) = 0, is hyper-bent and 
count the number of such functions. Then we will show that all such hyper-bent 
functions obtained from our construction achieve maximal algebraic degree. 

Theorem 1. With the above notation, then g{x) is hyper-bent if and only if 
wtffy) = 2"“^, i.e., b is balanced (Note that a sequence is said to be balanced if 
the disparity between the number of 1 ’s and the number of 0 ’s in one period is 
not to exceed 1 ). 

In order to prove Theorem Ewe need the following Lemmas. Let r = 2" — 
1, d = 2” -I- 1. Write Ui = Tr(QW^),i = 0, 1, • • •. Thus u = {ui} is an m-sequence 
of period 2^" — 1. Let v = u-|- b. Then v can be written into a (d, r)-interleaved 
sequence Hm, i.e., V can be arranged into the following array 



UO Vi ... Vd-l 

Vd Vd+l • • • V2d-1 



(vo,Vi,...v^_i), 



^d(r— 1) ^d(r — l)-t-l ‘ ‘ * '^rd—1 



where v^-’s are columns of the matrix. 

Lemma 1. v^- = -|- b^- where u^- ’s are columns of the matrix 



Uq Ui ... Ud-i 

Ud Ud-\-l ■ ■ ■ U2d-1 

. . . . 5 

_U(i{r—l) ‘ * * '^rd—l_ 

and hj = {bj, bj, - ■ ■ , bj) is a constant sequence. 

Proof. The result follows by noting that Per(u) = dr and Per(b) = d. 



□ 



Lemma 2. With the notation in Lemma 0 we have 

d-l 

wt{x) = ^ wt{Uj + b^ ). 
j=o 
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Proof. Note that 



d-l 

wt{y) = 

j=o 



Applying Lemma ^ the result follows immediately. 



□ 



Lemma 3. Let wt(b) = t and 

g{X,c) = ^(- 1 )^AAx'=)+s(x)^ 



Theng{X,c) S {2t, 2(t - 2")}, VA € K* andg{0,c) = (2" - l)(d- 2t) + 1. 
Proof. 



5(0, c) = ^ (-!)«(“) = 1 + E 1 ^ E(-l)'’'' 

x^K x^K* k—0 

= 1 + r{d — 2wt(b)). 



For A 0, 



?(A,c) = = 1 + (7) 

= 1 — wt{y) + (5 — 1 — wtfv)) = 2^” — 2wt{y). 

So, we only need to determine the value of the Hamming weight of y. From 
Lemma Owe have 

d-l 

wt{Y_) = + b^.). 

j=o 

Note that {uj} is a binary m-sequence of period 2^" — 1. So one of the component 
sequences u^- is a zero sequence and the rest of 2" sequences are shifts of the 
binary m-sequence with period r. Without loss of generality, we can 

suppose that that Uq = (0,0, •• • 0) is the zero sequence. Therefore w<(uq) = 0 
and wtf\ij) = 2"“^, 1 < j < 2". We have the following two cases 
Case 1. bo = 0. 



wtfv) 



wt{uj)+ Y wt{uj + l) 

J > 0 , bj — 0 j>0,bj—l 

{d - t - 1)2^-^ + - 1) 

d2”-i-t-2”-i. 



Thus in this case, we have 

g{X, c) = 1 + (2^’" - 1) - 2(d2”"^ - t - 2”"^) = 2^” - d2” + 2t + 2" = 2t. 
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Case 2. bo = 1 

wt{y) = 2 ” — 1 - 1 - ^ wt{uj) + ^ wt{uj + 1 ) 

— 0 j>Q,hj—l 

= 2 ” - 1 -b (d - -b {2^-^ - l){t - 1)) 

= 2”-i -bd2”-i -t. 

Substituting into Q we get 

g{\, c) = 2^" - 2(2”-i -b d2”-i - t) = 2^" - 2" - d2” -b 2t = 2{t - 2"). 
Thus g(A,c) G {2t,2(t-2")},VA G K*. 

□ 

Proof of Theorem^ If g(x) is hyper-bent, then |g(A, c)| = 2". From Lemma 
0 we have 'g{X,c) = 2t or 2{t — 2”). Thus we have 2t = 2" t = 2”“^ or 
2(2" — t) = 2" t = 2"“^. Thus if g{x) is hyper-bent then wt(l)) = 2"“^. 
Conversely, if wtfty} = 2"“^ = t, then according to Lemma 0we have 

5 (A,c) = 2t = 2", 

or 

g{\, c) = 2{t - 2") = 2(2"-i - 2") = -2", 

which implies that 

|5(A,c)| = 2",VAgK*. 

and 



g(0, c) = (2" - 1)(2" + {d- 2t)) + 1 = (2" - 1)(2" + 1 - 2") + 1 = 2". 

Thus g{x) is bent. □ 

In the following theorem, we will count how many hyper-bent functions can 
be obtained using this construction and show these functions achieve maximal 
algebraic degree. 

Note. Let f{x) = ^ function from GF{2™) to GF(2). The 

algebraic degree of f{x) is defined by 

ADf = max{AD^i\i : Ci yf 0} where AD^i = wt{i). 

So the algebraic degree of f{x) is equal to the algebraic degree of a boolean form 
of f{x). 

Theorem 2. Let 

S{d) = {b = {b,}i>o\b^ G F and Per{h) = d}, 

and 

F{d) = {h{x) : K ^ F|h(a;) o b G S{d)}. 

/2" -b 1 A 

Then there are ( 2 "-i 1 hyper-bent functions in F{d) and each of such func- 
tions has algebraic degree n, which is the maximal algebraic degree that bent 
functions in 2n variables can achieve. 
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In order to prove Theorem |2| we need the following lemma. 

Lemma 4. Let 0<a<2" + l, a = l mod 2. Then 

wt{a{2"' — 1)) = n. 

Proof. If a = 2"’, then wt(2"(2” — I)) = wt(2" — I) = n. If 0 < a < 2", then we 
can write 

0(2^^ - 1) = a2" - a = 2”(a - I) + (2” - a). 

Since (2” - a) < 2” and > 2"2"(a - I) < 22" then 

wt(a(2" — I)) = wt(2"(a — I)) + wt(2" — a). (8) 

Since a = I mod 2, we can write 

a = 1 + 2*1 + 2*= + --- + 2*", 



where 0 < < Z 2 < • • • < Zfe < n. Thus 

a - I = 2*1 + • • • + 2*" wt(2”(a - I)) = k. (9) 



We also have 

2"-a = 2"-l-(a-l) = l + 2 + -- - + 2”-l - (2*i + • • • + 2*'=). 
Therefore 

wt(2" — a) = n — k. (10) 

Substituting (jSI) and (II 1 )ll into (jSJ, we obtain that wt{a{2P — 1)) = k + n — k = n. 

□ 

Proof of Theorem\^ According to Theorem [Q h{x) is hyper-bent if and only 
if wt{h) = 2"“^. I.e., there are 2"“^ I’s in {bo, &i, • • • , &d-i}) where Per{h)\d. In 
the following, we first show Per(b) = d provided rct(b) = 2"“^ and Per(b)|d. 
I.e., if wt(h) = 2"“^ and Per{\f)\d, then b G S{d). Let d = kPer{h). Then 
wt(h)k = 2"“^ fc|2'i. Since gcd{d, 2) = 1 and k\d, this forces fc = 1. Therefore 

Per(b) = d. Hence b G S{d). Note that the number of sequences with weight 

/2" + l\ 

2"“^ in S{d) is ( 2 n-i ) which is just the number of bent functions in P{d). 

It can also be shown that for each h{x) G P{d), there exists / : K — >■ F 
such that h{x) = f{x'~) and the evaluation of f{x) has period dr. Therefore, the 
exponent of any trace term in h{x) has r as a divisor, i.e., it can be expressed 
as rs where 1 < s < 2" and s is a coset leader. Applying Lemma ^ we have 
wt{rs) = n. Thus all exponents in h{x) have weight n. Therefore h(x) has 
algebraic degree n which is maximal since bent functions in 2n variables has 
algebraic degree < n m- 

Remark 1. It is easy to show that the complement of the functions obtained 
from our constructions are also hyper-bent. Thus the total number of hyper-bent 

functions (with 2n input bits) obtained from our construction is 2 
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Remark 2. After this paper was accepted for publications, Claude Car let pointed 
out that this class of hyper-bent functions corresponds to the class of bent func- 
tions (family PS/ap) introduced by Dillon in his dissertation. In ^ Dillon con- 
structed this class using the partial spread difference sets. 

Remark 3. The special case where g{x) in Theorem Q is given by Tr{ax^ 
and a G K such that b o Tr{ax^ is balanced, is equivalent to the difference 
set construction in [Z|. In 0 Dillon showed that the difference sets constructed 
using Tr{ax^ is inequivalent to the Maiorana-McFarland construction [TT^ . 
Using a similar approach, it is easy to show that the construction in Theorem ^ 
is inequivalent to the Maiorana-McFarland construction. 

5 Construction of Balanced Functions with Large NLG 

By randomly complementing 2"“^ zeros of a hyper-bent functions we obtain a 
balanced functions with NLG > 2^”“^ — 2"’. Using this construction procedure, 
for 2n = 8, we were able to obtain balanced functions with NLG = 116. (Note 
that the best known nonlinearity for balanced functions with 8 input variables 
is 116 0, d3)- 

Example 1. The (17, 15) interleaved sequence corresponding the a balanced func- 
tion / : GF(2®) — >■ GF(2) with NLG = 116 is shown below. The ones in the 



complemented positions 


is 


surrounded 


by brackets. 










'1 


1 


0 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


(1) 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


(1) 


0 1 


1 0 


1 


1 


0 0 


0 


1 


(1) 


0 


1 


0 




1 


1 


0 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


0 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


0 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


0 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


(1) 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


(1) 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


0 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


0 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


(1) 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


(1) 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


(1) 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 




1 


1 


0 


0 1 


1 0 


1 


1 


0 0 


0 


1 


0 


0 


1 


0 



6 Construction for Vectorial Hyper-bent Functions 

Let {t]o,Vi, - ' ‘ Tilm-i} be a basis of GF{2^) over GF{2). Then we can write 
h : GJ^(22”) ^ GF{2'^) as 

m— 1 

j=o 
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We call h{x) VHB if and only if every nonzero linear combination of its output 
coordinates is a hyper-bent function, i.e., h{x) is a VHB function if and only for 
any non-zero m-tuple (cq, ci, • • • , Cm-i) G F™, the function Cihi{x) from 

K to F is hyper-bent. Clearly, VHB functions are a sub-class of perfect nonlinear 
functions |23) HD’ K is known that such functions exist only for m < n |23. In 
this section we will apply the results in Section 4 to present a new construction 
for vectorial hyper-bent ( VHB) functions with the maximum possible number of 
outputs and maximal algebraic degree. 

Keep r and d as defined before. Let 7 = and E = GF{T^). Then 7 is a 
primitive element of E. Let {/3 q, • • • , /3n-i} be the dual basis of {1, 7 , • • • , 7 ”“^} 
of E over F and tt : E — >■ E be a permutation. We define 

r rr(/3,7T(70),0<z<2"-2, 
hF = {Tr{(3,T:{Q), z = 2" - 1, (11) 

[ 0 , z = 2 ", 

Let bj = {&^j}i>o where = b'^j for i = kd + s with 0 < s < d. From the 
construction above, it is easy to see that Per(bJ) = d. 

Theorem 3. With the notation above, let H he the set consisting of all permu- 
tations o/E and 

n— 1 

P = {h{x) : K ^ E|/i(a:) = ^ hj{x)-f^ , hj{x) O bj,7r G 7T}, 

j=o 

Then any function h € P is a VHB function with maximum algebraic degree. 
Moreover, we have 

\P\ =2"!. 



Proof. We can write tt{x) = Tr{j3j'K{x))^P Since tt is a permutation of E, 

then wt(Tr{f3jTr{x)) = 2”“^ for 0 < j < n. From (imi . bj is obtained from the 
evaluation of Tr{f3jTr{x)) by lengthening it by one zero bit. Thus rct(bj) = 2"“^ 
for each j ■ 0 < j < n. For any nonzero m-tuple (cq, Ci, • • • , Cm-i) G F™, the 
evaluation of D{x) = Cihi{x) can be obtained from the evaluation of 

C(a:) = CiTr{PiTr{x)) by lengthening it by one zero bit. Note that 



C{x) = Tr 



CiPiTr{x) 



Tr{9n{x)) 



where 6 — Cijdi yf 0,0 G E . Thus wt{C{x)) = wt{Tr{0Tr{x))) = 2"“^. 

Therefore the evaluation of D{x) has weight 2"“^. According to Theorem 4, 
D{x) is hyper-bent. Thus h{x) is a VHB function. The proof regarding the 
algebraic degree is identical to that in the proof of Theorem |2| Since the number 
of permutations of if is 2 ”!, then |P| = 2 "!. 
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Remark 4- Note that we can insert one zero bit in equation at any place 
other than * = 2” and we still have wt{hj) = 2"“^. Hence we have (2"’-|-l)!/2 such 
constructions, which corresponds to the number of ordered partitions of 2" -|- 1 
elements of which 2 elements are the same and the rest of the 2"’ — 1 elements are 
all different. It is easy to show that the complement of the functions obtained 
from our constructions are also VHB functions. Thus the total number of VHB 
functions (with 2n input bits) obtained from our construction is 

(2"-bl)!. 



Remark 5. Note that the notion of hyper-bent functions investigated in this 
paper is different from the one used in |^ . In fact, the class of functions considered 
in are those Boolean functions on (GF{2))'^ {m even) such that, for a given 
even integer k (2 < k < m — 2), any of the Boolean functions on (GF(2))"*“^ 
obtained by fixing k coordinates of the variable is bent. 

7 Conclusions 

Boolean functions used in block cipher design should have a large Hamming 
distance to functions with simple algebraic description. In this paper, we pre- 
sented a method to construct bent functions which achieve the maximal min- 
imum distance to the set of all bijective monomials. Functions obtained from 
our construction achieve the maximum algebraic degree. These functions can 
be modified to achieve the balance property while maintaining large distance 
to bijective monomials. We also presented a method to construct vectorial bent 
functions for which every non zero linear combination of its coordinate func- 
tions satisfy the above property. These functions also achieve both the largest 
degree and the largest number of output bits. It should also be noted that while 
Rijndael (the NIST’s Selection for the AES ) S-boxes are constructed by 
the monomial x~^ = over GE(2®), an affine transformation over GF{2) is 
applied to the output of these S-boxes and hence the equivalent S-boxes will not 
have a simple algebraic description when looked at as a polynomial over GF(2®). 
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Abstract. We present a new algorithm for upper bounding the max- 
imum average linear hull probability for SPNs, a value required to de- 
termine provable security against linear cryptanalysis. The best previous 
result (Hong et al. H) applies only when the linear transformation branch 
number {B) is M or {M -|- 1) (maximal case), where M is the number 
of s-boxes per round. In contrast, our upper bound can be computed 
for any value of B. Moreover, the new upper bound is a function of the 
number of rounds (other upper bounds known to the authors are not). 
When B — M, our upper bound is consistently superior to 0. When 
B = (M -I- 1), our upper bound does not appear to improve on On 
application to Rijndael (128-bit block size, 10 rounds), we obtain the 
upper bound UB = 2“^®, corresponding to a lower bound on the data 
complexity of = 2™ (for 96.7% success rate). Note that this does not 
demonstrate the existence of a such an attack, but is, to our knowledge, 
the first such lower bound. 

Keywords: substitution-permutation networks, linear cryptanalysis, 
maximum average linear hull probability, provable security 



1 Introduction 

The substitution-permutation network (SPN) jS| is a fundamental block cipher 
architecture designed to be a practical implementation of Shannon’s principles of 
confusion and diffusion HSl, through the use of substitution and linear transfor- 
mation (LT), respectively. There has been a recent increase in interest in SPNs, 
in part because their simplicity lends itself to analysis, and, from an implemen- 
tation viewpoint, because they tend to be highly parallelizable. This interest will 
no doubt be spurred on by the recent adoption of Rijndael (a straightforward 
SPN) as the U.S. Government Advanced Encryption Standard (AES)|S|. 

The two most powerful cryptanalytic attacks on block ciphers are generally 
considered to be linear cryptanalysis (LC) jl I ) and differential cryptanalysis 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 42n- Bs^ 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 
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(DC) 0. There exists a strong duality between these two attacks which allows 
certain results related to one of the attacks to be translated into the correspond- 
ing results for the other attack mm This duality applies to the work of this 
paper; for this reason we will limit our focus to LC. 

In carrying out LC, an attacker typically computes a vector called the best 
linear characteristic, for which the associated linear characteristic probability 
(LCP) is maximal. This LCP allows the attacker to estimate the number of 
chosen plaintexts required to mount a successful attack. In in, Nyberg showed 
that the use of linear characteristics underestimates the success of LC. In order 
to guarantee provable security, a block cipher designer needs to consider approx- 
imate linear hulls instead of linear characteristics, and the maximum average 
linear hull probability instead of the LCP of the best linear characteristic. 

In this paper we present a new method for computing an upper bound on 
the maximum average linear hull probability for SPNs. The best previous result 
is that of Hong et al. |3, which applies only to SPNs with highly diffusive LTs. 
In contrast, our method can be applied to an SPN with any LT (computation 
time may vary). Moreover, the upper bound we compute is a function of the 
number of rounds of the SPN; all other upper bounds known to the authors do 
not depend on the number of rounds. When the diffusiveness of the LT is one less 
than maximum (the relevant definition is given in Section our upper bound 
is consistently superior to that of jOj. For LTs with maximum diffusiveness, our 
upper bound does not appear to improve on jO] . 

Application of our method to Rijndael (128-bit block size, 10 rounds), which 
involved extensive computation, yielded the upper bound UB = 2“^^, for a 
corresponding lower bound on the data complexity of LC of = 2’^® (for 96.7% 
success rate — see Section 0. Note that this does not demonstrate the existence 
of a such an attack, but is, to our knowledge, the first such lower bound. 

Conventions 

In what follows, {0, denotes the set of all d-bit vectors, which we view as row 
vectors. For a vector or matrix w, w' denotes the transpose of w. We adopt the 
convention that numbering of the bits of a binary vector proceeds from left to 
right, beginning at 1. The Hamming weight of a vector x is written wt(pc). If Z 
is a random variable (r.v.), E [Z] denotes the expected value of Z. And we use 
to indicate the number of elements in the set A. 

2 Substitution-Permutation Networks 

A block cipher is a bijective mapping from N bits to N bits {N is called the 
block size) parameterized by a bitstring called a key, denoted k. Common block 
sizes are 64 and 128 bits. The input to a block cipher is called a plaintext, and 
the output is called a ciphertext. 

An SPN encrypts a plaintext through a series of R simpler encryption steps 
called rounds. The input to round r (1 < r < i?) is first bitwise XOR’d with 
an TV-bit subkey, denoted k*", which is typically derived from the key, k, via 
a separate key-scheduling algorithm. The substitution stage then partitions the 
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resulting vector into M subblocks of size n {N = Mn), which become the inputs 
to a row of bijective nxn substitution boxes (s-boxes) — bijective mappings from 
{0, 1}" to {0, 1}”. Finally, the permutation stage applies an invertible LT to the 
output of the s-boxes (classically, a bitwise permutation). Often the permutation 
stage is omitted from the last round. A final subkey, is XOR’d with the 

output of round R to form the ciphertext. Figure ^ depicts an example SPN 
with fV = 16, M = n = 4, and i? = 3. 

We assume the most general situation for the key, namely, that k is an inde- 
pendent key P, a concatenation of (i? + 1) independent subkeys — symbolically, 
k = (k^,k^, . . . ,k^+^). We use /C to denote the set of all independent keys. 



round 1 



round 2 



round 3 






S'boxes 



Fig. 1. SPN with N = 16, M = n = 4, 7? = 3 



3 Linear Cryptanalysis 

Linear cryptanalysis (LC) was introduced by Matsui in 1993 m The more 
powerful version is known as Algorithm 2 (Algorithm 1 extracts only a single 
subkey bit). As applied to SPNs, Algorithm 2 can be used to extract the first 
subkey, k^. Once k^ is known, the first round can be stripped off, and LC can 
be reapplied to obtain k^, and so on. 

Let P, C, and X be r.v.’s representing the plaintext, ciphertext, and interme- 
diate input to round 2, respectively. The attacker attempts to identify the best 
correlation between the parity of a subset of the bits of X and the parity of a 
subset of the bits of C. Symbolically, the attacker wants masks a, b S {0, 1}^\0 
which maximize the following linear probability: 

LPk(a ^ b) (2 • Prob {a • X = b • C} - 1)^ , (1) 

for a fixed key, k (the symbol • denotes the inner product over GF(2)). Note 
that LPk(a — ?> b) G [0, 1]. Given a and b, the attack proceeds as in Figure O 
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Pi 

1 






round 1 


1 1 f 








1 

Xi 

1 


Form a • Xj 




rounds 

2...R 






1 

Ci 


Form b • Ci 


Obtain A/*l known (plaintext, ciphertext) pairs: 

(pi,Ci>,(p2,C2>,... ,(pATi,CAfi) 

Guess = k. Encrypt each p^ through round 1 to obtain 

If a» Xi = b • Ci then increment counter /i(k) 

Choose the k which maximizes ^2 • p(k) — 



Fig. 2. Summary of linear cryptanalysis (Algorithm 2) 



The probability that Algorithm 2 will determine the correct value of in- 
creases as the number of known (plaintext, ciphertext) pairs, Ml, is increased. 
The value Ml is called the data complexity of the attack — this is what the at- 
tacker wants to minimize. Given an assumption about the behavior of round-1 
output Matsui shows that if Ml = XPida^Tb)’ then Algorithm 2 has the 
success rates in the following table, for various values of the constant, c. 



c 


2 


4 


8 


16 


Success rate 


48.6% 


78.5% 


96.7% 


99.9% 



3.1 Notational Generalization 

In describing Algorithm 2, we have discussed input and output masks (a and 
b, respectively) and the associated linear probability for rounds 2 . . . R of an 
i?-round SPN. It is useful to consider these and other related concepts as ap- 
plying to any T > 2 consecutive rounds of an SPN. Hereafter, unless specified 
otherwise, terms such as “first round” and “last round” are relative to the T 
rounds under consideration. For Algorithm 2, then, T = i? — 1, and the “first 
round,” or “round 1,” is actually round 2 of the SPN. And for simplicity, we will 
always assume that the LT is absent from round T (this does not affect LC). 
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4 Linear Characteristics 

For fixed a, b G {0, 1}^, direct computation of LPk(a — >■ b) is generally infeasi- 
ble, first since it requires encrypting all TV-bit vectors through rounds 1 . . . T, and 
second because LPk(a — >■ b) depends on the unknown key, k. The latter is usu- 
ally handled by working not with LPk(a b), but with the average (expected) 
value of LP\s_{sl — ^ b) over all independent keys k G /C, denoted i?T[a, b]: 

ET[aM = E[LPT^{a^h)] (2) 

(K is an r.v. uniformly distributed over /C). The implicit assumption is that 
LP\^{a — >■ b) is approximately equal to ifr[a, b] for most values of k (Harpes 
et al. refer to this as the Hypothesis of fixed-key equivalence [Z|)- The data com- 
plexity of Algorithm 2 for masks a and b is now taken to be Ml = [a b] • 
The problem of computational complexity is usually treated by approximating 
b] through the use of linear characteristics (or simply characteristics). 



4.1 One-Round and Multi-round Linear Characteristics 



Note that the linear probability in m can be defined for any binary mapping — 
in particular, for a bijective n x n s-box, S. Let o.,(3g {0, 1}", and let X be an 
r.v. uniformly distributed over {0, 1}". Define 



LP^{a (3) = (2 • Prob {a • X = /3 • S'(X)} - 1)^ (3) 



q = max max LP'^(a — >■ f3) 
5eSPN «,^G{0,1}^\0 



(4) 



A one-round characteristic for round f, 1 < t < T, is a pair 17* = (a*,b*) in 
which a* and b* are input and output masks, respectively, for round t, exclud- 
ing the permutation stage. The linear characteristic prohahility of 17*, denoted 
LCP^{D*) or L(7P*(a* — b*), is simply the linear probability obtained by view- 
ing round t (minus the permutation stage) as an TV x TV s-box: 

LCP\Q^) = (2 • Prob {a* • X = b* • 5'*(X © k*)} - l)^ , (5) 

where S'*(-) denotes application of the s-boxes of round t, and X is an r.v. 
uniformly distributed over {0,1}*^. (Note: It can be shown that LCP*{f2*) is 
independent of the (unknown) subkey k* , and therefore the operation © k* can 
be removed from 0-) Let the M s-boxes of round t be enumerated from left to 
right BS S{, S 2 , . . . , S\f. Note that a* and b* determine input and output masks 
for each s-box in round T; let the masks for 5* be denoted a* and /3*, respectively. 
Then by Matsui’s Piling-up Lemma dH, 

M 

LCP\n*) = l[LP^'{al^f3l) . 

2 = 1 



( 6 ) 
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Definition 1. Let L denote the N -bit LT of the SPN represented as a binary 
N X N matrix, i.e., t/x,y G {0,1}^ are the input and output, respectively, for 
the LT, then y = (Lx')'. 



Lemma 1 (|3j). Ifh G {0, 1}^ and a = (L'b')', then a*x = b*y for all N-bit 
inputs to the LT, x, and corresponding outputs, y (i.e., ifh is an output mask 
for the LT, then a = (L'b')' is the (unique) corresponding input mask). 

Now given one-round characteristics for each of rounds 1 . . . T, = (a^,b^), 
17^ = (a^, b^), . . . , 17^ = , b^), these can be concatenated to form a single 

T-round characteristic if a'+^ and b* are corresponding output and input masks 
for the LT, respectively, for 1 < t < (T— 1) (see Lemma[IJ. The resulting T-round 
characteristic is the tuple 17 = (a^,a^,... ,a^,b^). The linear characteristic 
probability of 17 is again given by Matsui’s Piling-up Lemma: 

T 

LCP{n) = LCP\n*) . ( 7 ) 

t=i 



4.2 Choosing the Best Characteristic 

In carrying out LC, the attacker typically runs an algorithm to find the T-round 
characteristic, 17, for which LCP{fi) is maximal; such a characteristic (not nec- 
essarily unique) is called the best characteristic |T2j . If 17 = (a^,a^, . . . ,a^,b’^), 
and if the input and output masks used in Algorithm 2 are taken to be a = a^ 
and b = b^, respectively, then ^^[a, b] (used to determine A/l = ^ ) is 

approximated by 



ET[a,h] a; LC'T(17) . 



(8) 



5 Provable Security against Linear Cryptanalysis 

The approximation in (|SD has been widely used to evaluate the security of block 
ciphers against LC 0. Knudsen calls a block cipher practically secure if the 
data complexity determined by this method is prohibitive nm. However, in 1994 
Nyberg demonstrated that this approach underestimates the success of LC in 
We state Nyberg’s results in the context of SPNs. 



5.1 Approximate Linear Hulls 

Definition 2 (Nyberg). Given nonzero N-bit masks a, b, the approximate lin- 
ear hull, ALH(a, b), is the set of all T-round characteristics, for the T rounds 
under consideration, having a as the input mask for round 1 and b as the output 
mask for round T , i.e., all characteristics of the form L2 = (a, a? , a? ,.. . ,a^,b). 
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Remark: Recall that any characteristic f2 G ALH(a, b) determines an input and 
an output mask for each s-box in rounds 1 ... T. If this yields at least one s-box 
for which the input mask is zero and the output mask is nonzero, or vice versa, 
the linear probability associated with that s-box will be 0 (see (01 ) and therefore 
LCP{fl) = 0 by 0 and 0. We exclude such characteristics from consideration. 

Definition 3. For a, b G {0,1}^ \ 0, let ALH(a, b)* eonsist of the elements 
fi G ALH(a, b) sueh that for each s-box in rounds 1 . . .T, the input and output 
masks determined by f2 for that s-box are either both zero or both nonzero. 



Theorem 1 (Nyberg). Let a and b be fixed nonzero N-bit input and output 
masks, respectively, for T rounds of an SPN. Then 

ErM= E LCP{n) . (9) 

l7eALH(a,b)* 

It follows immediately from Theorem Q] that 0 does not hold in general, since 
A'r[a, b] is shown to be equal to the sum of terms LCP{Q) over a (large) set of 
characteristics. Therefore, on average, the linear characteristic probability of the 
best characteristic will be strictly less than Et [a, b] . An important implication 
of this is that the attacker will overestimate the number of (plaintext, ciphertext) 
pairs required for a given success rate. Indeed, Harpes et al. comment that 
Matsui observed that his attacks performed better than expected. 

5.2 Maximum Average Linear Hull Probability 

An SPN is considered to be provably secure against LC if the maximum average 
linear hull probability (MALHP), max^ if 7 ’[a, b], is sufficiently small 

that the resulting data complexity is prohibitive for any conceivable attacker. 
Note that this must hold for T = R — 1, because Algorithm 2 as presented 
attacks the first round. Since variations of LC can be used to attack the first 
and last rounds of an SPN simultaneously, it may also be important that the 
data complexity remain prohibitive for T = R — 2. 

5.3 Best Previous Result 

Since evaluation of the MALHP appears to be infeasible in general, researchers 
have adopted the approach of upper bounding this value. If such an upper bound 
is sufficiently small, provable security can be claimed. Hong et al. give the best 
previously known result for the SPN architecture, stated in Theorem 0 below. 
First we need the following concepts. 

Defiuitiou 4 (|lj). Any T -round characteristic, fl, determines an input and 
an output mask for each s-box in rounds 1 . . .T. Those s-boxes having nonzero 
input and output masks are called active. 
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Definition 5. Let fl G ALH(a, b)*, and let v be one of the masks in fl. Then 
V is either an input or an output mask for the substitution stage of some round 
of the SPN. By the definition o/ALH(a, b)* (Definition]^, the actiue s-boxes 
in this round can be determined from v (without knowing the corresponding out- 
put/input mask). We define 7 v to be the M-bit vector which encodes this pattern 
of active s-boxes: 7 v = 7172 ■ • -7m, where 'ji = 1 if the t**' s-box is active, and 
7 i = 0 otherwise, for 1 < i < M . 

Definition 6 ([5)- ^^6 branch number of the LT, denoted B, is the minimum 
number of active s-boxes in any two consecutive rounds. It can be given by 

= min {wt( 7 v) + wt( 7 w) : w G {0, 1}^ \ 0 and v = (L'w')'} . 

It is not hard to see that 2 < B < (M + 1). 

Theorem 2 (Hong et al.). If B = {M + 1), then maxa_b 6 {o,i}^\o ET\sL,h] < 
, and if B = M, then maXa,bG{o,i}"^\o b] < q^~^, where q is defined 

as in 0 ). 

6 New Upper Bound 

for Maximum Average Linear Hull Probability 

In this section we present a new method for upper bounding the maximum 
average linear hull probability. Our main results are Theorem 01 and Theorem El 
The upper bound we compute depends on: 

(a) q, the maximum linear probability over all SPN s-boxes (see ®) 

(b) T, the number of rounds being approximated by Algorithm 2 

(c) the structure of the SPN LT (via the W[ ] table in Definition 0 below) 

6.1 Definition and Technical Lemmas 
Definition 7. Let 7,7 G {0, 1}^. Then 

iL[ 7 , 7 ] # {y G {0, 1}^ : 7^ = 7, 7y = 7, where x = (L'y' )'} . 

Remark: Informally, the value 7 ] represents the number of ways the LT can 
“connect” a pattern of active s-boxes in one round ( 7 ) to a pattern of active 
s-boxes in the next round ( 7 ). 

Lemma 2 . Let D be a one-round or T -round characteristic that makes A s-boxes 
active. Then LCP{L2) < q^ . 

Proof. Follows directly from and 0 - 

Lemma 3. Let 1 <t <T, and a, b* G {0, 1}'^. Then 

ET[a,x] = Y LCP\x ^ b‘) = 1 . 

xGlOPl'V xG{0,l}« 
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Proof. The second sum equals 1 by application of Parseval’s Theorem^^ to 
round t. To see that the first sum is equal to 1, apply Parseval’s Theorem to 
the decryption function for rounds 1 . . . T (masked by a), and take the expected 
value over the set of independent keys with uniform distribution. 

Lemma 4. Let T > 2, and let a, b G {0,1}^ \ 0. For any x G {0, 1}'^ viewed 
as an input mask for the LT, let y denote the unique eorresponding output mask 
(via the relationship given in Lemma\^. Then 

Et[sl, b] = ^ ET-i[a,Tc] ■ LCP^ (y b) . 

Proof. Follows immediately from Q) and OSJ. 

Lemma 5. Let m>2, and suppose sequences of nonnega- 

{ . 'j m 

dij be the sequences obtained by sorting {ci} and 
{di}, respectively, in nonincreasing order. Then 
Proof. See Appendix A. 

are sequences of nonnegative 

values, with sorted in nonincreasing order. Suppose there exists rh, 1 < 

rh < m, such that 

(a) Ci > Ci, for 1 < i < rh 
(b) Ci < Ci, for {rh + 1) < i < m 
( V X/i=l Ci ^ A/i=l Ci 
Then ^di < 

Proof. See Appendix A. 

6.2 Derivation of New Upper Bound 

Our approach is to compute an upper bound for each nonzero pattern of active 
s-boxes in round 1 and round T (T > 2); that is, we compute UBT['y,f], for 
7,7G{0,1}^\0, such that the following holds: 

UB Property for T. For all a,b G {0, 1}^ \ 0, AT[a,b] < 175T[7a,7b]- 
If the UB Property for T holds, then an upper bound for the MALHP is given 
by max.^ i}m\q UBtI'J,^]. We first handle the case T = 2 in Theorem 0 
and then use a recursive technique for T > 3 in Theorem 0 

Theorem 3. Let 7,7 G {0, 1}“ \ 0, f = wt{j), £=wt{'j), and W = W[y,f]. If 

(min{qf,q^} if max • W > 1 

t/52[7,7] < (10) 

[ qf+^ ■ W if max {qf , q^}-W <1 



Lemma 6. Suppose {ci}”li, 



then the UB Property for 2 holds. 
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Proof. Let 7, 7 G {0, 1}^^\0 be fixed, and let a,b G {0, 1}^\0 such that 7 a = 7 
and 7 b = 7 - We want to show that E 2 [a, b] < f 7 i? 2 [ 7 , 7 ]- There are W = W[y, 7 ] 
ways that the LT can “connect” the / active s-boxes in round 1 to the t active 
s-boxes in round 2. Let xi,X 2 ,--- ,xw be the corresponding input masks for 
the LT, and let yi, y 2 , • • • , yw be the respective output masks (so 7 x^ = 7 and 
7 yi = 7 )- bet Ci = LCP^{a — >■ x^) and di = LCP^{yi — )> b), for 1 < i < W. 

From Lemma El we have E 2 [a, b] = We know that 0 < , 

0 < di < (by LemmaE|) and c* ^ Sti < 1 (by LemmaOj). Without 

loss of generality, assume that f > i, so min {q-^ ,q^} = q^ and max = q^ 

(since 0 < g < 1). Note that q^ always upper bounds if 2 [a,b], since if 2 [a, b] = 
TZ,cA<q^TZl di < q^ ; we use this upper bound in the first case of PJ. 
On the other hand, q^~^^ ■ W also upper bounds i? 2 [a, b], since — 

Si=i ■ W . 11 q^ ■ W = 1, the two upper bounds are identical. If 

• W < 1, then q^^^ ■ W < q-^, so we use • W as the upper bound in the 
second case of (113. 

Theorem 4. Let T > 3. Assume that values f75T-i[7, 7 ] have been eomputed 
for all 7, 7 G {0, 1}*^\0 sueh that the UB Property for {T — 1) holds. Let values 
UBT['j,f] be computed using the algorithm in Figure\^ Then the UB Property 
for T holds. 

Proof. Throughout this proof, “Line X” refers to the X**' line in Figure 0 Let 
a, b G {0, 1}^\0. It suffices to show that if 7 = 7 a in Line I and 7 = 7 b in Line 2, 
then the value UBT[y,y] computed in Figure 0 satisfies i?T[a, b] < f7i?T[7,7]- 
Enumerate the nonzero output masks for the LT as yi,y 2 , . . . ,y 2 '^-i> and let 
the corresponding input masks be given by xi, X 2 , . . . , X 2 w_i, respectively. From 

Lemma 0 we have ifrla, b] = Et-i [a, x^] • LCP^ (y^ — >■ b). If 7 y. 

7 b (= 7 ), then LCP^ (y^ — >■ b) = 0 (by the Piling-up Lemma), so these y^ can 
be removed from consideration, leaving yi, y 2 , ■ • ■ , yi, and corresponding input 
masks, Xi,X 2 , . . . ,xl, respectively. 

Let Ci = i?T-i[a, Xi] and di = (y^ — >■ b), for 1 < i < L. Then 

E'r[a,b] = Let £ = wt{^) (Line 3), and let m = f7i?T-i[7,7xi], for 

1 < i < L. Then 0 < Ci < Ui, 0 < di < q^ (the latter by LemmaEl, and X) Ci < 1, 

'^di < 1 (by LemmaEl . It follows immediately that ET[a,h] < di < q^. 

We use this upper bound in Case I (Lines 19, 20). 

Now note that some of the terms in {ui} are identical, since if 1 < i < j < L 
and 7 x^ = 7 x^ , then Ui = Uj . We use this to define an equivalence relation on 
{xi}: Xi = Xj iff 7 x^ = 7 x^. . It can be seen that the number of elements in the 
equivalence class of x^ is W , 7 ] • 

Select indices ji, j 2 ; ■ • ■ ,jn such that consists of one representative 

from each equivalence class. Let "fh = 7 xj^i Uh = Uj^ = TBt-i [ 7 ; 7 /t]i and 
Wh = W[ 7 /j, 7 ], lor 1 < h < H. Without loss of generality, assume that the 
indices are ordered such that Ui > f /2 > • • • > Uff ■ It is an important observation 
that the values 7 /^, Uh, and Wh are the same as those defined in Lines 5, 7, and 
8 . The following four facts are straightforward. 
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1 . 


For each 7 S {0, 1}^ \ 0 


2 . 


For each 7 S {0, 1}“^ \ 0 


3. 




£ •<— wt{^) 


4. 




r^{?e{o,i}"\ 0 :W/K, 7 ] 7 ^o} 


5. 




Order the elements of r" as 71 , 72 ? •• • ?7h such that 


6 . 




UBt-1 [ 7 ? 71 ] > UBt-1 [ 7 ? 72 ] > ■ • ■ > UBt-1 [ 7 ? 7if] 


7. 




Uh <- UBt-1 [7>7)i]> for 1 < h < H 


8. 




Wh <— W ['yh : 7 ] , for 1 < h < Ft 


9. 




Su ^ ELi UhWh 


10. 




Sq ■ EhLi iFh 


11. 




Hu^H 


12. 




If Su > 1 then 


13. 




FFu min {g : 1 < G < FF, ELi UhWh > l} 


14. 




E7:r^ UhWh 


15. 






16. 




If > 1 then 


17. 




FF, min {g : 1 < G < FF, qE ELi IF;, > l} 


18. 




Sq^l-gU Wh 


19. 


(Case I) 


If {Sq < 1 < Su) or (1 < Su,Sq and Hu < Hq) then 


20. 




UBt [ 7 . 7 ] <- g‘ 


21. 


(Case II) 


Else if {Su,Sq < 1) then 


22. 




UBTh,^]^q‘Su 


23. 


(Case III) 


Else if (Su < 1 < Sq) or (1 < Su, Sq and FFu > Hq) then 


24. 




UBt [ 7 , 7 ] ^ {g‘ ■ E77 UhWh) + UHq ■ Sq 


25. 


(Case IV) 


Else if (1 < Su,Sq and Hu = Hq =*' h) then 


26. 




UBt [ 7 , 7 ] t- (g‘ ■ T,h=i UhWh) + min {Ufq ■ Sq, ■ 5u} 



Fig. 3. Algorithm to compute UBt[ ] for T > 3 



Fact 1 Y.h=i Wh = L. 

Fact 2 Ut = Ylh=i UhWh = Su {Su is defined in Line 9). 

Fact 3 q^L = ■ J2h=i = Sq {Sq is defined in Line 10). 

Using Fact 2, we get the upper bound ET[a,h] = — 

q^Su- If Su < 1, this upper bound is no larger than that of Case I; if 5'„ < 1, it 
is strictly smaller. This is the upper bound we use in Case II (Lines 21, 22). 
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The proofs of Cases I and II have parallels to the proofs of the two cases in 
Theorem 13 For Cases III and IV, however, we require additional techniques, 
since the terms which upper bound the Ci (namely, the Ui) are not, in general, all 
the same (in the proof of Theorem |3 all the Ci are upper bounded by q^). The 
intuition for what follows is this: Since X)i=i necessary to replace 

all the di by the value if the consequence is that 9^ > 1- Instead, certain 
of the di are replaced by q^ and the rest by 0, so that the resulting summation 
is 1 (a residue term may be required). To ensure an upper bound, it is necessary 
that the q^ terms be multiplied by the largest of the Ui terms. This is the reason 
for the sorting in Lines 5-6. (A “cutoff” of the Ui terms at the value 1 is also 
applied.) 

Sort {ci}, {di}, and {uij in nonincreasing order to obtain the sequences (cij, 
and {iii}, respectively. Clearly Ci < iii, for 1 <i < L. Applying Lemma El 

we have c*di < ^idi- If Su = Y.i=i < 1> let Ci = iii, for 1 < * < L. 
If Su > I, let Lu (1 < Lu < L) be minimum such that ^ let (cij 

consist of the first L terms of iii, ii 2 , . . . , (1 — Sti ^ uA , 0, 0, 0, ... . 



If Sq = q^L < 1, let di = for 1 < z < L. Otherwise, if Sq > 1, let Lq 




and let 




consist of the first L terms of 




g%), 0,0,0,.... 



Lg terms 

Then {cij, (cij, and {di} satisfy the conditions on the identically named se- 
quences in the statement of Lemma El so X)i=i Oidi < J2i=ididi- Also, {di}, 
{di}, and {ci} satisfy the conditions on the three sequences in the statement of 
Lemma El (in that order), and therefore J2i=ididi < StiOdi. Combining, we 
get ET[a,h] < Yh^=i didi, so it remains to show that Yh^=i dA < f7i?T[7,7]- 
Define the partial sums Pq = 0 and P/, = Y^j=i Wj,iov \ <h< H (so Ph = L). 



Case III (Lines 23, 24) If either condition in Line 23 holds, then 

(a) Cj = Uh and d) = q^, for {Ph-i + 1) <i< Ph, i<h< {Hq - 1) 

(b) Ci = UHg, for (Pff,-i -b 1) < i < Pff, 

(c) Y.i=lpHg_i+i) di = dq 

(d) d) = 0, for i > {Ph^ + 1) 

It follows that didi = {q^ ■ J2hh ^ UhWiAj + Upg ■ dq, which is the upper 

bound used in Case III. 



Case IV (Lines 25, 26) If the condition in Line 25 holds, then (using the 
definition of H in Line 25) 

(a) Q = Uh and d) = q^, for {Ph-i + 1) < i < Ph, i < h < {H - 1) 

(b) + 

(c) Ci = di = 0, for i > (P^ + 1) 
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Let Y = UtWh- For + 1) < t < Pf^ replacing Ci by its upper 

bound U fj gives + U fj ■ 5q. For i in the same range, replacing di 

by its upper bound gives Y + ■ Su- Combining the above, we 

get — Y + min {Ufj ■ Sg, q^ ■ Su}, the right-hand side of which is the 

upper bound used in Case IV. 

7 Application of New Upper Bound to Rijndael 

To test our new upper bound, we generated random invertible LTs for SPNs 
with various parameters. We found that for LTs with branch number B — M, 
our upper bound was consistently superior to that of Hong et al. Pj . We give the 
results for one such LT in Appendix B. For LTs with B = {M + 1), our upper 
bound did not appear to improve on that of P]. 

However, the bulk of our analysis we reserved for Rijndael with the following 
parameters: N = 128, ii = 10, M = 16, n = 8,q = 2“®. Note that the result of 0 
does not apply to Rijndael, since for Rijndael, B = 5 < M = 16) |^. Tailoring 
our algorithm to any particular SPN involves computation of the values in LF[ ] 
(Definition[3), which for Rijndael is a 2^® x 2^® table. The Rijndael LT is depicted 
in Figure 0 




Fig. 4. Rijndael linear transformation 



The 128-bit input block can be viewed as an array of 16 bytes. These bytes 
are first shuffled according to the figure, and then consecutive 4-byte sequences 
are fed into copies of the same highly diffusive 32-bit LT (based on maximum- 
distance-separable (MDS) codes). We first computed the 2* x 2* W[ ] table 
for the MDS LT, denoted LFmds[ ]> by transforming all 2^^ output masks (see 
Definition Ej) . Given 7 S {0, 1}^® representing a pattern of active s-boxes for the 
Rijndael LT input, a corresponding 4-bit input pattern is determined for each 
copy of the MDS LT simply by tracing through the byte “shuffle” : denote these 
71 ) 72 , 73,74 G {0,1}^, from left to right, respectively. Then given 7 G {0,1}^® 
representing a pattern of active s-boxes for the Rijndael LT output, partition 7 
into consecutive 4-bit sequences representing output patterns for the MDS LT, 
denoted 71 , 72 , 73,74 G {0, 1}"^. Then VF[ 7 , 7 ] = OLi bFMDs[7i,7*]- 

Since W[ ] turns out to be quite sparse (roughly 80,000,000 of the 2®^ entries 
are nonzero, around 2%), we precompute it, and store the nonzero entries. By 
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doing this first for the Wmds[ ] table, computation of W[ ] becomes fairly fast. 
Computing the upper bound in the case T = 2 using Theorem 0 is easy. The 
main work involves executing the algorithm in Figure 0 for T = 3 ... 10. Lines 3- 
26 are executed (2^® — 1)^ times for each value of T (3 < T < 10), a total 
of ~ 2®® iterations. Once the values 71,72,... ,jh in Line 5 are known, the 
time complexity of Lines 7-26 is 0{H). Since the values in T in Line 4 can 
be precomputed and stored during generation of W[ ], the sorting specified in 
Lines 5-6 is the most expensive {0{HlogH)). The average value for H is 1191, 
although individual values vary widely. 

For a fixed value of 7, computing UBT[y,^] for all 7 G {0, 1}^ \ 0 and all 
T {2 < T < 10) takes approximately 40 minutes on a Sun Ultra 5, for a total 
running time in the range of 44,000 hours on that platform. We completed the 
computation by distributing it over roughly 60 CPUs for several weeks. 

Our results for Rijndael are given in Figure El For 7 < T < 10, the upper 
bound value is 2“^®, giving a corresponding lower bound on the data complexity 
of LC of 2^®, for a 96.7% success rate (see Section E|). Note that for Algorithm 2 
as described in Section 0 T = R — 1 = 9. 




Fig. 5. New upper bound applied to Rijndael 



8 Conclusion 

We have presented a new method for computing an upper bound on the max- 
imum average linear hull probability for SPNs. Our method has the advantage 
that it can be computed for an SPN with any LT layer, whereas the best previ- 
ous result (Hong et al. ^j) applies only to SPNs with highly diffusive LTs, i.e., 
those having branch number B = M or B = {M + 1), where M is the number 
of s-boxes per round. In addition, our upper bound is a function of the num- 
ber of rounds being approximated; other known upper bounds do not vary with 
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the number of rounds. When applied to an SPN whose LT has branch number 
B — {M + 1) (the maximal case), our upper bound does not appear to improve 
on that of P|. For SPNs whose LTs have branch number B = M, our upper 
bound is consistently superior to that of p. 

A significant part of our work involved application of our method to Rijndael 
(with N = 128 and R — 10). This yielded the upper bound UB = 2“^®, for a 
corresponding lower bound on the data complexity of LC of = 2^® (for a 
96.7% success rate). Note that this does not demonstrate the existence of a such 
an attack, but is, to our knowledge, the first such lower bound. 
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Appendix A 



Proof (Lemma\^. Without loss of generality, assume that {di} is already sorted 
in nonincreasing order, so di = di.li m = 2 and {ct} is not sorted, i.e., if ci < C 2 , 
then Cl = C 2 and C 2 = ci, so 

2 2 

Ctdi < Cidi 4=4> Cidi -I- 02^2 < C2(il + Cid2 
i=l i=l 

(C2 - Ci)d2 < (C2 - Ci)di 
4=^ c?2 ^ di , 



which is true since {di} was assumed to be sorted. Let to > 3 and assume 
the lemma holds for to — 1. Let s be the index of a minimal element in {ci}, 
and let {ci}™ i be the sequence obtained by exchanging Cs and Cm in {ci}- Then 
Cm = Cm, and therefore sorting {cdtl^ in nonincreasing order gives By 

an argument similar to that of the to = 2 case, we have — YlT=i 

Applying the induction hypothesis to the first to — 1 terms of {cj} and {c?i} gives 
Sfci Cidi- Combining these facts, we get 



m — 1 



m— 1 



^ ^ C-idi ^ ^ Cidi — ^ ^ Cidi -\- CjYidYn ^ ^ Cidi H- C^ndm — ^ ^ Cidi . 

i—1 i—1 i—1 i—1 

Proof (Lemma\^. Let 

m m 

i = y] C, B = 'ET=m+l 

ifi m 

B = J2T=m+l 



2=1 



2=1 



By assumption, A < B > and C < C. Let AA = A — A > {) and 
AB = B — B >{). Note that AA — AB = (7 — C > 0. We have 



m m 

Cidi > Cid^ + AA - dm (11) 

2=1 2=1 

m m 

^ ^ Cidi ^ ^ ^ Cidi AB * dm-\-l (1^) 

i—‘m-\-l 2=m+l 
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Adding m and we get 

m m 

^ ^ Cidi ^ ^ ^ Cidi AA ■ d^ /\B ■ df^j^\ 
i—l i—1 

m 

A ^ ^ Cidi A A • A_B ■ 

i=l 

m 

= ^ Cidi + (AA - AB) • dm+i 

i=l 

m 

^ ^ ^ Cidi . 

1=1 

Appendix B 

Some of the LTs which we randomly generated were for SPNs with parameters 
N = 24, M = 3, and n = 8. For one example of such an LT for which B = M = 3, 
we plot our upper bound against that of Hong et al. [S| in Figure El using a 
log 2 scale on the y-axis. We also plot the value (the upper bound of jHj for 
B = (M + 1) = 4) for comparison purposes. On the x-axis we use minimum 
nonlinearity^ for n = 8, the relationship between and q is given 

by g = (l — ) ■ For this particular LT, it happened that our upper bound 

settled on a fixed value for T = 2, and did not decrease with an increasing 
number of rounds — this is the value we plot for each 




Fig. 6. Comparison of new upper bound with that of Hong et al. |H] 
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Abstract. Message integrity from one sender to one receiver is typically 
achieved by having the two parties share a secret key to compute a Mes- 
sage Authentication Code (MAC). We consider the “multicast MAC”, 
which is a natural generalization to multiple receivers. We prove that 
one cannot build a short and efficient collusion resistant multicast MAC 
without a new advance in digital signature design. 



1 Introduction 

We study the problem of message integrity in the context of a single source mul- 
ticast. Consider a TV station, such as the Disney channel. The TV station is 
broadcasting to n receivers. Each receiver would like to ensure that the broad- 
casts are indeed coming from the Disney channel rather than from a malicious 
third party (who might be transmitting offensive material). 

One natural approach would be to employ digital signatures. Suppose the 
transmitter has a secret signing key and each of the receivers has the corre- 
sponding public key. To provide message integrity the transmitter signs every 
message she broadcasts. No coalition of receivers can forge a message/signature 
pair that will fool another receiver. Although signatures provide multicast mes- 
sage integrity they are fundamentally an overkill solution for this problem. First, 
signatures are somewhat expensive to compute. Second, digital signatures pro- 
vide non-repudiation: Any receiver can use the signature to prove to a third 
party that the message came from the transmitter. However, non-repudiation is 
unnecessary for message integrity. 

Message integrity between two parties is usually done by sharing a secret 
key k between the sender and receiver. When sending a message M the sender 
computes a keyed hash function MAC = and transmits the MAC along 

with the message. MACs are much faster than digital signatures, and do not 
provide non-repudiation. We seek a generalization of MACs for the multicast 

* Supported by NSF and the Packard Foundation. 

** Supported by a Microsoft Graduate Research Fellowship. 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 437-^3 2001. 
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setting. This would be a distribution of keys to sender and receivers, and a 
method for tagging messages by the sender that would be convincing to every 
receiver. We call this primitive a “multicast MAC” (MMAC). 

One simple approach for a MMAC might be to share a global secret key k 
between the transmitter and all n receivers. The transmitter appends Hk{M) to 
every transmitted message M. Each receiver can then verify the MAC sent by 
the transmitter. This is insecure since any receiver can forge messages that will 
fool any other receiver. 

Another simple approach is secure but inefficient. The transmitter shares 
a distinct secret key ki with each of the n receiver ui , . . . , . When sending 

a message M the transmitter computes MMAC = Hk^{M)\\ . . . \\Hk^{M) and 
transmits (M,MMAC). Each receiver Ui verifies the MMAC by using the entry 
that corresponds to the key ki. This construction is secure, in the sense that no 
coalition of users can create a message/MMAC pair that will fool a user outside 
the coalition (since they do not have the outsider’s MAC key). Unfortunately, the 
length of the MMAC is linear in the number of receivers. Hence, this construction 
is not very practical, even though it avoids non-repudiation. 

Since none of the above solutions is perfect, it is tempting to try to build a 
MMAC that is as short as a signature (i.e., length independent of the number 
of receivers), but much more efficient. We give lower bounds that suggest that 
this might be a difficult task. Our main results show that if one could build 
practical (i.e. short) MMACs, then they could be converted into new efficient 
digital signature schemes. Consequently, it is unlikely that practical MMACs 
could be constructed without an unexpected advance in digital signature design. 

We can relax our security requirement by saying that a MMAC is K-secure if 
no coalition of size less than k can fool another receiver. In Section|3we generalize 
our lower bound and show that if one could build a K-secure MMAC whose length 
is less than log 2 ( 1 ) could be converted into an efficient signature 

scheme. For small values of k this lower bound is approximated by O(Klogn). 
This lower bound matches an upper bound construction based on pseudorandom 
functions due to Canetti et al. Q. Hence our results show that for small values 
of K the Canetti et al. construction is optimal. 

Our results demonstrate the importance of recent constructions for practical 
multicast authentication ^^11711011 1171121. Some of these constructions achieve 
great efficiency (well beyond what is implied by our bounds) by making use of 
additional assumptions, such as weak time synchronization between sender and 
receivers mam. We emphasize that our lower bounds for MMACs suggest diffi- 
culty only for constructions that use the standard model for MACs, as described 
in the next section. 

A fundamental result of theoretical cryptography is that a digital signature 
scheme can be derived from any one way function mm- Since the existence of 
a multicast MAC implies the existence of a one way function, that would seem to 
imply a reduction of the form that we claim. However, this construction is far too 
inefficient to be considered for any practical purposes. In contrast, our results are 
achieved through direct reductions from multicast MACs to public key signature 
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schemes. Our reductions are efficient, in the sense that the derived signature 
schemes have almost the same level of security as the underlying MMAC schemes. 

1.1 Related Work 

Previous work on multicast authentication followed two tracks: (1) the computa- 
tional model, based on pseudorandom functions and hash functions, and (2) the 
information theoretic model, providing unconditional security. Constructions in 
the information theoretic model provide very strong security guarantees. This 
strong security comes at a price: The secret key can only be used for a small num- 
ber of messages. MMACs built in the computational model are not as strong, 
since their security depends on a complexity assumption. However, computa- 
tional MMACs can be used to authenticate many messages using relatively short 
keys. All of the results in this paper are set in the computational model. 

In the computational model, Canetti et al. P construct a K-secure MMAC 
by concatenating many pseudorandom functions whose output is a single bit. 
This construction does not provide non-repudiation. As mentioned above, our 
results show that this clever construction is optimal. We note that the security 
model in P is slightly different from our security model. They require that a 
coalition should not be able to create a forgery that can fool a specific receiver. 
In some cases a coalition might be content if a broadcast of a forged message 
fools any receiver. Hence, in our model, a forgery is considered successful if it 
fools any receiver outside the coalition. Adapting the construction of Canetti et 
al. to this stronger security model adds a factor of Inn to the length of their 
MMAC. The result is a MMAC of length Ae{n + 1) Innln 1/e where n is the 
number of receivers, e is the failure probability, and e = 2.718. For small values 
of K, and a fixed e, our lower bound of 0(«:logn) asymptotically matches their 
upper bound. 

In the information theoretic model, Multicast MACs were introduced by 
Desmedt, Frankel, and Yung P (see also Simmons m for the somewhat related 
notion of authentication codes with arbitration) . They gave two constructions for 
K-secure MMACs. Kurosawa and Obana 0 derived elegant lower bounds on the 
probability of success in impersonation and substitution attacks. They showed 
that the DFY construction is optimal. Safavi-Naini and Wang mm show how 
to construct information theoretic MMACs using cover free set systems. Their 
constructions are similar to the ones given in p. Cover free set systems were 
also used by Fujii, et al. p. 

We briefly review the use of signatures as an alternative to MMACs for mul- 
ticast authentication. There are two difficulties in using signatures for multicast 
MACs: (1) in streaming audio and video applications one cannot afford to buffer 
the entire message prior to signing it, and (2) multicast transmissions suffer from 
packet loss (multicast does not provide packet loss recovery), so one needs signa- 
ture schemes for an unreliable transmission channel. Problem (1) is often solved 
by combining standard signatures with fast one time signatures [SCSI- Prob- 
lem (2) is solved by introducing various types of redundancy during signature 
generation |iyil2in)IYj. 
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We note that the constructions in fTnrrr^ provide short multicast message 
authentication without non-repudiation. The authentication tags in these con- 
structions are shorter than our lower bounds predict since they rely on some 
weak timing synchorinization between sender and receivers. Our lower bounds 
suggest that one must resort to such assumptions to obtain practical multicast 
authentication without non-repudiation. 

2 Definitions 

We begin by giving precise definitions for MMACs secure against existential 
and selective forgeries. To reduce the number of definitions in the section we 
only consider the strongest adversaries, namely adversaries capable of adaptive 
chosen message attacks. For completeness, we briefly recall definitions of security 
for signatures schemes. 

2.1 Multicast MACs 

A Multicast MAC, or MMAC, is specified by three randomized algorithms 
(key-gen, mac-gen, mac-ver). 

key-gen: takes a security parameter s and a number of receivers n and returns 
keys sk,rki, . . . ,rk„ G {0, 1}*. We call sk the sender key and rk^ the ith 
receiver key. 

mac-gen: takes as input a message M G {0,1}* and a key K G {0,1}* and 
returns a tag T — mac-gen (M, K) G {0, 1}'^ for some fixed tag length r bits, 
mac-ver: takes as input a message M G {0,1}*, a tag T G {0, 1}"^, and a key 
K G {0, 1}*, and returns a bit: mac-ver(M, T, A) G {‘y^s’, ‘no’}. 

These algorithms are subject to the constraint that for all (sk, rki, . . ., rk„) 
produced by key-gen (s,n) we have that 

VM G {0,1}*, Vi G {1, . . . , n} : mac-ver(M, mac-gen (M, sk), rk^) = ‘yes' 

In other words, tags created by mac-gen using the correct sender key verify 
correctly for all receivers. Each of these algorithms must run in time polynomial 
in n, s, and the size of the message input. 

MMAC security against selective forgery. A MMAC (key-gen, mac-gen, 
mac-ver) is said to be {t, e, q) -secure against selective forgery under an adaptive 
chosen message attack if every t-time probabilistic algorithm A wins the game 
below with probability at most e. We model the game as a communication be- 
tween a challenger and the forging algorithm A. See Figure [D We assume that 
the system parameters n and s are fixed ahead of time. 

Step 1: The forging algorithm A starts the game by sending the challenger a 
target message M G {0, 1}*. The forger’s goal is to forge a MMAC for this 
message M. The forger also sends a subset I C {l,...,n}. The subset I 
should be viewed as the set of receivers colluding to fool some other receiver. 
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MM AC: Selective Forgery MM AC: Existential Forgery 

challenger forger challenger forger 

M 



I C I C 



runs key-gen rkj^ , . . . , rkj^ 


runs key-gen rkj^ , . . . , rkj^ 


Ml 


Ml 


Ti = mac-gen (Ml, sk) 


Ti = mac-gen(Mi, sk) 


: \fi: Mi ^ M 

Mq 


Mq 


Tq = mac-gen (Mg, sk) 


Tq = mac-gen (Mg, sk) 


T 


M,T 


3j ^ I : mac-ver(M, T, rkj) = ‘yes' 


3j ^ I : mac-ver(M, T, rkj) = 



Fig. 1. The games used to define two security notions for a MMAC. 



Step 2: The challenger runs algorithm key-gen(s,n) and obtains the MMAC 
keys (sk, rki, . . rk„). The challenger sends the subset {rki}jg/ to A. 
Step 3: Algorithm A then mounts a chosen message attack by sending queries 
Ml, . . . , Mq to the challenger, where Mi ^ M for all i = 1, . . . , g. The chal- 
lenger responds with Ti — mac-gen(Mi, sk) for i = 1, . . . ,q. Note that these 
queries may be issued adaptively. That is, the adversary A might wait for a 
response Ti before issuing request 

Step 4: Finally, A outputs a candidate MMAC, T, for the target message M. 

We say that A wins this game if T verifies as a valid tag for M for some receiver 
j outside of I. More precisely, we say that A wins the game if 

^ I s.t. mac-ver(M, T, rkj) = ‘yes’. 

The probability that A wins this game is taken over the random coin flips of the 
algorithms key-gen, mac-gen, mac-ver, and the random coin flips of A. 

The definition above assumes the adversary commits to the set of corrupt 
users / at the beginning of the game. One can also consider a stronger definition 
where the adversary is dynamic: the adversary adaptively chooses which users 
to corrupt during the game. Since our lower bounds already apply when the 
adversary is restricted to the static settings, the same lower bounds apply in 
the dynamic settings. Therefore, throughout the paper we only consider static 
adversaries. 
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MMAC security against existential forgery. A MMAC (key-gen, mac-gen, 
mac-ver) is said to be {t, e, q) -secure against existential forgery under an adaptive 
chosen message attack if every t-time probabilistic algorithm A wins the following 
modified game with probability less than e. The game is identical to the above, 
except that A does not commit to the message M in Step 1. Instead, the target 
message M is output by A in the last step (Step 4), at the same time as the 
candidate tag T. Note that we must have M ^ Mi for all i. See Figure ^ 



2.2 Signature Schemes 

Our goal is to establish a relation between MMACs and digital signatures. We 
therefore briefly review two notions of security for digital signatures: security 
against selective forgery, and security against existential forgery |0|. We review 
both notions under a chosen message attack. 

A signature scheme is specified by three probabilistic algorithms (skey-gen, 
sig-gen, sig-ver). 

skey-gen: takes a security parameter s and returns keys ATsecATpub G {0,1}*. 

We call Ksec the secret key and ATpub the public key. 
sig-gen: takes as input a message M G {0, 1}* and a key K G (0, 1}* and returns 
a signature S = sig-gen(M, AT) G (0, 1}*. 
sig-ver: takes as input a message M G {0, 1}*, a candidate signature S G (0, 1}*, 
and a key K G {0, 1}*, and returns a bit: sig-ver(M, S', K) G {‘yes’, ‘no’}. 

These algorithms are subject to the constraint that for all pairs {Ksec, Aipub) 
produced by skey-gen (s), we have that 

VM G {0,1}* : sig-ver(M,sig-gen(M, ATsec), Aipub) = ‘yes’ 

Each of these algorithms must run in time polynomial in n, s, and the size of 
the input. 



Signature security against selective and existential forgery. A signature 
scheme (skey-gen, sig-gen, sig-ver) is said to be {t, e, q) -secure against selective 
forgery under an adaptive chosen message attack if every t-time probabilistic 
algorithm B wins the game below with probability at most e. See Figure 0 We 
assume the security parameter s has already been fixed. 

Step 1: The forging algorithm B outputs a target message M G {0, 1}*. 

Step 2: The challenger runs algorithm skey-gen(s) and obtains the keys {Ksec, 
ATpub)- The challenger sends iFpub to B. 

Step 3: Algorithm B then mounts a chosen message attack by querying the 
challenger with messages Mi, . . . , Alq G {0, 1}*, where Mi yf M for all i = 
l,...,q. The challenger responds with Si = sig-gen (Mi, ATgec). Note that 
these queries may be issued adaptively. 

Step 4: Finally, B outputs a candidate signature S for the target message M. 
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Signatures: Selective Forgery 

challenger forger 

M 

runs skey-gen K^ub 
Ml 



Signatures: Existential Forgery 

challenger forger 

runs skey-gen Kp^b 
Ml 



Si = s\g-gen{Mi,Ksec) Si = sig-gen(Mi, A'^ec) 

: \fi: Mi ^M : 



M, 

Sq = s\g-gen{Mg, 



M, 

Sq = s\g-gen{Mg, 



^ S 

sig-ver(M, S, Kp^b) = ‘yes' 



M,S 

sig-ver(M, S, Kp^b) = ‘yes' 



Fig. 2. Signature Scheme Security. 



We say that B wins this game if S verifies as a valid signature on M. More 
precisely, we say that B wins this game if sig-ver(M, S', Ffpub) = ‘yes’. 

Similarly, a signature scheme is said to be (t, e, q) -secure against existential 
forgery under an adaptive chosen message attack if every t-time probabilistic 
algorithm B wins a modified game with probability less than e. The game is 
identical to the above, except that the target message M is output by B in the 
last step (Step 4), at the same time as the candidate signature S. See Figured 

3 Equivalence of MMAC and Signing 
for Selective Forgery 

One can easily show that for each notion of security defined above, every (t, e, 
g)-secure signature scheme is also a (t, e, q)-secure multicast authentication code. 
Our goal in the next two sections is to show an approximate converse: any short 
MMAC gives rise to a signature scheme with an almost equal level of security. 
We begin by showing that a MMAC secure against selective forgery gives rise to 
a signature scheme secure against selective forgery. In the next section, we show 
a similar result for existential forgery. 

The derived signature scheme: Given a MMAC (key-gen, mac-gen, mac-ver) 
we define the derived signature scheme (skey-gen, sig-gen, sig-ver) as follows: 
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skey-gen(A:, n) 1. Run key-gen(/c, n) to get (sk, rki, . . . , rk„). 

2. Pick a random subset I = {i\, . . . , i^} C n}. 

3. Output RTsec = sk and RTpub = (rki^, . . . ,rki„). 

s\g-gen{M,Ksec) Output T = mac-gen (M, RTsec)- 

sig-ver(M, S, RTpub) Write itTpub = (rki^, . . . ,rkj^). Output ‘yes’ if and only if 
for all j = 1, . . . , w, mac-ver(M, S, rki^.) = ‘yes’. 



The following theorem shows that the derived signature scheme has nearly 
identical security properties as the MMAC. 

Theorem 1. Suppose the MMAC (key-gen, mac-gen, mac-ver) is {t, e, q)-secure 
against selective forgery under an adaptive chosen message attack, and suppose 
the length of the output of mac-gen (M, sk) is hounded above by t = n — m for 
all M and sk. Then the derived signature scheme (skey-gen, sig-gen, sig-ver) is 
{t, e+ q)-secure against selective forgery under an adaptive chosen message 
attack. 

Note that taking m = 80 already results in a sufficiently secure signature 
scheme. Hence, whenever the MMAC length is slightly shorter than the number 
of receivers, n, the MMAC is easily converted into a secure signature scheme. 

Proof. Suppose we have a forger B that produces successful selective forgeries for 
the derived signature scheme (skey-gen, sig-gen, sig-ver). We build a forger A for 
the MMAC (key-gen, mac-gen, mac-ver). The proof will follow by contradiction. 
Recall that we model security as the probability of winning a game against a 
certain challenger. We describe how the algorithm A interacts with the challenger 
in this game, using R as a subroutine. See Figure 0 

Step 1: The algorithm A runs B to obtain the selected message M, which 
it forwards to the challenger as the message intended for its own selective 
forgery. 

Step 2: Algorithm A chooses a random subset / = {ii, . . . , C {1 , . . . ,n} 
and sends this to the challenger. The challenger responds with (rk^^, . . ., 
rkj^) for some (sk, rki, . . ., rk„) generated randomly by key-gen. 

Step 3: The algorithm A sets ATpub = (rk^^, . . ., rk^^) and sends ATpub to B. 
The distribution on ATpub is identical to the distribution on keys generated 
by skey-gen. 

Step 4: Algorithm A now continues the execution of B, forwarding each query 
Mi to the challenger, and passing along each response Ti back to B. Note 
that Ti is a valid signature on Mi as defined by the derived signature scheme. 
Step 5: After at most q queries, B outputs a signature forgery S for M. The 
algorithm A outputs S as its candidate MMAC forgery for M . 

We show that A wins the selective forgery game for MMACs with probability 
at least e. That is. S' is a MMAC forgery with probability at least e. The proof 
is based on the concept of a “bad pair”. Let M' be a message in {0, 1}* and let 
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challenger 



M 



I Cn {1, . . . ,n} 



runs key-gen , . . . , rkj 



algorithm A 
2 



algorithm B 



M 



^pub 7 • • • 7 ) 



Ml 



Ml 



Ti = mac-gen (Ml, sk) 



M„ 



Tq = mac-gen (Mg, sk) 



Mi-. Mi ^ M 



M„ 



Fig. 3. MM AC forger A uses signature forger B to forge a MM AC. 



I' be a coalition /' C {1, . . . , n}. We say that the pair (M', I') is bad if there is 
some tag T G {0, 1}”-™ satisfying: 

Mi G I' mac-ver(M', T, rki) = ‘yes’ and Vj ^ I' : mac-ver(M', T, rkj) = ‘no’. 

In other words, {M' , I') is bad if I' is precisely the subset of receiver keys 
for which some tag T verifies as a valid tag for M' . The following lemma shows 
that for a fixed message M there are few pairs (M, I) that are bad. 

Lemma 1. For any message M : 

Pr[(M,/) is had] < 

where the probability is over the choice of a random coalition I C {1, . . . , n}. 



Proof. For each tag T G {0,1}"“™, let It be the set of receivers i for which 
mac-ver(M, T, rki) = ‘yes’. By definition, the pair (M,It) is bad. Notice that 
the collection 



{(M,/t) I Tg {0,1}"-™} 

completely describes all bad pairs containing M in the first coordinate. Since 
there are only 2"“™ possible values for T, this set is of size at most 2"“™. Since 
I is chosen independently of M, it follows that 



2^n—7n 

Pr [(M, I) is bad] < — - — 
establishing the lemma. 



1 

2m ’ 
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We are now ready to complete the proof Theorem Q 
Proof of Theorem 0 We will establish the contrapositive. Suppose there 
is a forger B for the derived signature scheme (skey-gen, sig-gen, sig-ver) that 
runs in time t, makes q queries, and produces a successful selective forgery with 
probability at least e + ^. We show the algorithm A described in Figure 0 
wins the selective forgery game for the MMAC (key-gen, mac-gen, mac-ver) with 
probability at least e. 

We say that event A occurs when the pair (M, I) is not bad where M is 
the message chosen in Step 1, and I is the random set chosen in Step 2. We say 
the event B occurs when the algorithm B wins the signature forgery game by 
outputting a forgery S' on M in the derived signature scheme. By assumption 
we know that Pr[,B] > e + Now, when both events A and B occur, we deduce 
the following: 

(1) Since S is a signature forgery for M we have that 

\/i G I : mac-ver(M, S, rk^) = ‘yes’; 

(2) Since (M, I) is not bad, the set of users for which S is a valid MMAC cannot 
be I. Hence, by (1), 

3j ^ I : mac-ver(M, S, rkj) = ‘yes’. 

But the second condition is precisely what is needed for A to win the selective 
forgery game against the MMAC. Since by Lemmas we have that Pr[-iM] < ^ 
we obtain the following: 



Pr[A wins MMAC forgery game] > Pr[B A A] > Pr[S] — Pr[->M] 



> 




1 

2 ™ 



= e. 



This probability is taken over the random coin flips of the challenger and of the 
algorithms A and B. Thus, the theorem follows. ■ 



4 Equivalence of MMAC and Signing 
for Existential Forgery 

Next, we show that an existentially secure MMAC gives rise to an existentially 
secure signature scheme. The resulting bounds are a bit weaker than for se- 
lective forgery. Let (key-gen, mac-gen, mac-ver) be a MMAC, and let H he a 
collision-resistant hash function from {0,1}* to {0,1}^. Define the derived sig- 
nature scheme (skey-gen, sig-gen, sig-ver) as follows: 

skey-gen (A:, n) 1. Run key-gen(/c, n) to get (sk, rki, . . . , rk„). 

2. Pick random subset I = {n, . . . , C {1, . . . , n}. 

3. Output ATsec = sk and ATpub = (rki^, . . . ,rk^^). 

sig-gen (M,ATsec) Output T = mac-gen (7J(M), ATsec)- 

sig-ver(M, S, Alpub) Write ATpub = (rk^^, . . . ,rk^^). Output ‘yes’ if and only if 
for all j = 1, . . . , w, mac-ver(iL(M), S, rk^^) = ‘yes’. 
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Suppose the MMAC (key-gen, mac-gen, mac-ver) is {t, e, q)-secure against 
existential forgery under an adaptive chosen message attack, and suppose the 
length of the output of mac-gen (M) is bounded hy t = n — m for all M. Further- 
more let H be chosen from a family of collision-resistant hash function, specifi- 
cally, suppose no t-time algorithm can find M\ ^ M 2 such that H{Mi) = H{M 2 ) 
with success probability greater than some small en- We show in the following 
theorem that the derived signature scheme retains nearly identical security prop- 
erties. 

Theorem 2. The derived signature scheme (skey-gen, sig-gen, sig-ver) is {t, 
e -h 2 m -h + ^H, q)-secure against existential forgery under an adaptive chosen 
message attack. 

For example, suppose (key-gen, mac-gen, mac-ver) is {t, e, g)-secure against 
existential forgery. Let H be the hash function SHA-1 : {0, 1}* — )> {0, 
with security ch ~ Then taking m = 240 results in a sufficiently secure 
signature scheme. Hence, as soon as the MMAC length is slightly less than the 
number of receivers, n, we obtain an existentially secure signature scheme. 
Proof of Theorem\^ We will establish the contrapositive. Suppose we have a 
forger B that produces successful existential forgeries for the derived signature 
scheme (skey-gen, sig-gen, sig-ver). We build a MMAC forger A for (key-gen, 
mac-gen, mac-ver). Recall that we model security as the probability of winning 
a game against a certain challenger. We describe how the algorithm A interacts 
with the challenger in this game, using B as & subroutine. 

Step 1: The algorithm A chooses a random subset / = {ii, . . . ,iw} C {1, . . . , n} 
and sends this to the challenger, which responds with (rk^,^ , . . . , ) for 

some (sk, rki, . . . , rk„) generated randomly by key-gen. 

Step 2: Algorithm A sets ATpub = (rk^j, . . . ,rk^^) and sends ATpub to B. 

Step 3: For each query Mi made by B, algorithm A sends the query H{Mi) to 
the challenger. Algorithm A then passes the response Ti back to B. 

Step 4: After at most q queries, B outputs a message M and a candidate sig- 
nature forgery S for M. If H{Mi) = H{M) for some i G {!,..., g}, the 
algorithm A aborts the forgery attempt, as a collision in H has been found. 
Otherwise, the algorithm A outputs the pair {H{M),S) as its candidate 
MMAC forgery. 

We claim that A wins the existential forgery game for MMACs with probabil- 
ity at least e. The proof uses the following concept: we say that a subset of users 
/' C {1, . . . , n} is bad if there is some Hm G {0, 1}^ and some tag T G {0, 1}"-"* 
such that 



'ii G I' rnac-ver(iLm, T, rkj) = ‘yes', and 
ij ^ I' : mac-ver(iLrn) r, rkj) = ‘no’. 



That is, r is bad when I' is precisely the subset of receiver keys for which some 
tag T verifies as a valid tag for some Hm in the range of the hash function H. 
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Lemma 2. When I is a random subset of {1, . . . , n} we have that: 

Pr[J is bad] < 

Proof. We use the bound of Lemma ^ on the probability that a pair {H^, I') is 
bad, for any Hm G {0, 1}^. We obtain the following: 



Pr [/ is bad] = Pr S {0, 1}^ s.t. is bad] 

7C{l,...,n} 7C{l,...,n} 



^ E 

HmSlO,!}'* 



Pr [{H^, I) is bad] < 2^* ( ) = 






1 



‘2’m. j 2^^“^ ’ 



as desired. 



We can now complete the proof Theorem 0 Suppose there is a forger B for the 
derived signature scheme (skey-gen, sig-gen, sig-ver) that runs in time t, makes 
q queries, and produces a successful existential forgery with probability at least 
e+ .^rrt-h +£g- We claim algorithm A described above wins the existential forgery 
game for the MMAC (key-gen, mac-gen, mac-ver) with probability at least e. 

We say the event A occurs when the set / chosen in Step 1 of algorithm A 
is not bad. We say the event B occurs when the algorithm A does not abort 
in Step 4. Finally, we say the event C occurs when the algorithm B wins the 
existential forgery game by outputting a forgery S' on M in the derived signature 
scheme. By assumption we know that Pr[C] > e -I- -I- en- 

Now, when events A, B, and C hold, we deduce the following: 

(1) yi £ I : mac-ver(iJ(M), S, rki) = ‘yes' (S is a signature forgery for M), 

(2) Wi £ I : H{M) ^ H{Mi) (A does not abort), 

(3) 3j ^ I : mac-ver(7J(M), S, rkj) = ‘yes' (by (1) and the fact that 

/ is not bad). 

But the second and third conditions are precisely what is needed for A to 
win the existential forgery game against a MMAC. So, by Lemma 0 and the fact 
that H is collision-resistant: 



Pr[A wins MMAC forgery game] > Pr[C A A A ,B] 



> Pr[C] - Pr[-.M] - Pr[^S] 



> 





1 



This probability is taken over the random coin flips of the challenger and of the 
algorithms A and B. Thus, the theorem follows. ■ 

Note that the construction of the signature scheme above made use of a 
collision resistant hash function. The proof can be easily modified to only use 
one way universal hashing (OWUHF). Since OWUHF’s can be constructed from 
one-way functions, there is no need to rely on collision resistance. 
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5 Coalitions of Limited Size 



A MMAC (key-gen, mac-gen, mac-ver) is said to be {t, e, q, K)-secure against 
selective forgery under an adaptive chosen message attack if every t-time prob- 
abilistic algorithm A wins the game in Section 0 (depicted in Fig. 01 with prob- 
ability less than e, where the coalition I is subject to the constraint |/| < k. 
Similarly, (t, e, q, K)-security against existential forgery is defined as (t, e, q)- 
security against existential forgery where the coalition size |/| is limited by k. 
Note that for k = n, these notions are exactly the same as those defined in 
Section 0 when k < n, the security requirements are strictly weaker. 

We show in this section that a (f, e, q, K)-secure MMAC with output length 
less than 




gives rise to a signature scheme of nearly equivalent security. 

Let (key-gen, mac-gen, mac-ver) be a MMAC that is (t, e, q, «;)-secure against 
selective forgery under an adaptive chosen message attack. Define the derived 
signature scheme (skey-gen , sig-gen , sig-ver) as in Section^ with the modification 
that skey-gen(s, n) picks a random subset / C {1, . . . , n} subject to the constraint 

|/| < K. 

Suppose the length of the output of mac-gen (M) is bounded by 




for all M . Then we show: 

Theorem 3. The derived signature scheme (skey-gen, sig-gen, sig-ver) is {t, e + 
q) -secure against selective forgery under an adaptive chosen message attack. 

The proof follows that of Theorem 0 Because of the restriction on the size of 
the coalition I, the following alternative to LemmaQis required. 

Lemma 3. For any fixed message M , 

Pr[(M,/) is bad] < 

where the probability is over the choice of a random coalition I C {!,..., n} 
satisfying |/| < k. 

Proof. For each tag T G {0, l}"^, there is exactly one set It containing precisely 
those receivers i for which mac-ver(M, T, rkj) = ‘yes’. By definition, the pair 
(M, It) is bad. The collection 

{(M,/t) |TG{0,ir} 
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completely describes all bad pairs containing M in the first coordinate. Since 
there are only 2'^ possible values for T, this set is of size at most 



2 ^ 




Since I is chosen independently of M, it follows that 



Pr 

IQ 

|/| < K 



[(M, I) is bad] < 



-m (n\ 



1 

2m ’ 



establishing the lemma. ■ 

With this lemma in place, Theorem 01 follows just as Theorem Q 
An analogous theorem may be shown for security against existential forgery. 
Let (key-gen, mac-gen, mac-ver) be a MMAC that is (t, e, q, At)-secure against 
existential forgery under an adaptive chosen message attack. Define the derived 
signature scheme (skey-gen , sig-gen , sig-ver) as in Section^ with the modification 
that skey-gen(fc, n) picks a random subset I Q {1, . . . , n} subject to the constraint 

|/| < K. 

Suppose the MMAC (key-gen, mac-gen, mac-ver) is {t, e, q)-secure against 
existential forgery under an adaptive chosen message attack, and suppose the 
length of the output of mac-gen(M) is bounded by r = (logX^Eo (?)) ~ ^ 
for all M. Furthermore assume that H is a collision-resistant hash function with 
security parameter en- Then one can show 

Theorem 4. The derived signature scheme (skey-gen, sig-gen, sig-ver) is {t, e-l- 
+CH, q)-secure against selective forgery under an adaptive chosen message 
attack. 

The proof is similar to the proof of TheoremOwith the appropriate modification 
to Lemma 0 



6 Conclusions 

We gave precise definitions for Multicast MACs (MMACs) secure against se- 
lective and existential forgeries. Our main results show that a short collusion- 
resistant multicast MAC can be easily converted into a signature scheme. This 
shows a gap between the cryptographic resources needed for two party MACs 
(where signatures are not needed) and the resources needed for Multicast MACs. 
Our bounds justify the recent effort into designing signature schemes for a mul- 
ticast environment 1)1711 !1| . Such schemes require minimal buffering on the 

sender’s side and resist packet loss. We also note the constructions of [TOITT] that 
provide a short MMAC without non-repudiation by using some weak timing as- 
sumptions. 
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For small values of k, our lower bound for K-secure MMACs asymptotically 
matches the upper bound construction of Canetti et al. p. Hence, the Canetti et 
al. construction has optimal length (up to a small constant factor) for a MMAC 
that is based purely on pseudorandom functions. 
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Abstract. We present a formalism for the analysis of key-exchange pro- 
tocols that combines previous dehnitional approaches and results in a 
definition of security that enjoys some important analytical benefits: 
(i) any key-exchange protocol that satishes the security dehnition can 
be composed with symmetric encryption and authentication functions 
to provide provably secure communication channels (as dehned here); 
and (ii) the definition allows for simple modular proofs of security: one 
can design and prove security of key-exchange protocols in an idealized 
model where the communication links are perfectly authenticated, and 
then translate them using general tools to obtain security in the realistic 
setting of adversary-controlled links. 

We exemplify the usability of our results by applying them to obtain 
the proof of two classes of key-exchange protocols, Diffie-Hellman and 
key-transport, authenticated via symmetric or asymmetric techniques. 



1 Introduction 



Key-exchange protocols (ke, for short) are mechanisms by which two parties 
that communicate over an adversarially-controlled network can generate a com- 
mon secret key. ke protocols are essential for enabling the use of shared-key 
cryptography to protect transmitted data over insecure networks. As such they 
are a central piece for building secure communications (a.k.a “secure channels”), 
and are among the most commonly used cryptographic protocols (contemporary 
examples include SSL, IPSec, SSH, among others). 

The design and analysis of secure ke protocols has proved to be a non-trivial 
task, with a large body of work written on the topic, including H5ldUIIUI7llBI5l5l . 

and many more. In fact, even today, after two decades of research, some 
important issues remain without satisfactory treatment. One such issue is how 
to guarantee the adequacy of ke protocols for their most basic application: 
the generation of shared keys for implementing secure channels. Providing this 
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for a complete self-contained treatment the reader is referred to ini. 
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guarantee (with minimal requirements from ke protocols) is the main focus and 
objective of this work. The other central goal of the paper is in simplifying 
the usability of the resultant security definitions via a modular approach to the 
design and analysis of ke protocols. We exemplify this approach with a proof of 
security for two important classes of ke protocols. 

This paper adopts a methodology for the analysis of ke protocols that results 
from the combination of two previous works in this area: Bellare and Rogaway ^ 
and Bellare, Canetti and Krawczyk |2|. A main ingredient in the formalization 
of jni is the use of the indistinguishability approach of m to defining security: 
roughly speaking, a key-exchange protocol is called secure if under the allowed 
adversarial actions it is infeasible for the attacker to distinguish the value of 
a key generated by the protocol from an independent random value. Here we 
follow this exact same approach but replace the adversarial model of with 
an adversarial model derived from |2|. This combination allows to achieve the 
above two main objectives. We elaborate on these main aspects of our work. 

First, the formalization of | 2 | captures not only the specific needs of ke 
protocols but rather develops a more general model for the analysis of security 
protocols. This allows formulating and proving the statement that ke protocols 
proven secure according to our definition (we call these protocols SK-secure) 
can be used in standard ways to provide “secure channels”. More specifically, 
consider the common security practice by which pairs of parties establish a 
“secure channel” by first exchanging a session key using a ke protocol and 
then using this key to encrypt and authenticate the transmitted data under 
symmetric cryptographic functions. We prove that if in this setting one uses 
an SK-secure ke protocol together with secure MAC and encryption functions 
combined appropriately then the resultant channel provides both authentication 
and secrecy (in a sense that we define precisely) to the transmitted data. While 
this property of ensuring secure channels is indeed an obvious requirement from 
a secure ke protocol it turns out that formalizing and proving this property is 
non-trivial. In fact, there are “seemingly secure” key exchange protocols that 
do not necessarily guarantee this (e.g. those that use the session key during the 
exchange itself), as well as proposed definitions of secure key-exchange that do 
not suffice to guarantee this either (e.g., the definitions in jSIEE0)- Moreover, 
although several works have addressed this issue (see Section O), to the best of 
our knowledge the notion of secure channels was never formalized in the context 
of KE protocols, let alone demonstrating that some definition of ke protocols 
suffices for this basic task. Indeed, one of the contributions of this work is a 
formalization of the secure channels task. While this formalization is not intended 
to provide general composability properties for arbitrary cryptographic settings, 
it arguably provides sufficient security guarantee for the central task of protecting 
the integrity and authenticity of communications over adversarially-controlled 
links. 



Second, the approach of allows for a substantial simplification in designing 
KE protocols and proving their security. This approach postulates a two-step 
methodology by which protocols can first be designed and analyzed in a much 
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simplified adversarial setting where the communication links are assumed to 
be ideally authenticated (i.e., the attacker is not allowed to insert or change 
information transmitted over the communication links between parties). Then, 
in a second step, these protocols are “automatically” transformed into secure 
protocols in the realistic scenario of fully adversary-controlled communications 
by applying a protocol translation tool (or “compiler”) called an authenticator. 
Fortunately, simple and efficient realizations of authenticators based on different 
cryptographic functions exist P| thus making it a useful and practical design and 
analysis tool. (We stress that our framework does not mandate this methodology; 
i.e., it is possible of course to prove security of a ke protocol directly in the fully 
adversarial model.) 

We use this approach to prove the security of two important classes of key- 
exchange protocols: Difhe-Hellman and key-transport protocols. All one needs to 
do is to simply prove the security of these protocols in the ideal authenticated- 
links model and then, thanks to the above modular approach, one obtains ver- 
sions of these protocols that are secure in a realistic adversary-controlled net- 
work. The “authenticated” versions of the protocols depend on the authentica- 
tors in use. These can be based either on symmetric or asymmetric cryptographic 
techniques (depending on the trust model) and result in natural and practical ke 
protocols. The security guarantees that result from these proofs are substantial 
as they capture many of the security concerns in real communications settings 
including the asynchronous nature of contemporary networks, the run of multiple 
simultaneous sessions, resistance to man-in-the-middle and known-key attacks, 
maintaining security of sessions even when other sessions are compromised, and 
providing “perfect forward secrecy”, i.e., protection of past sessions in case of 
the compromise of long-term keying material. 



1.1 Related Work 



Since its introduction in the seminal work of Diffie and Heilman US! the notion 
of a key-exchange protocol has been the subject of many works (see |2E| for 
an extensive bibliography). Here we mention some of the works that are more 
directly related to the present work. 

Among the early works on this subject we note as being instru- 

mental in pointing out to the many subtleties involved in the analysis of ke 
protocols. The first complexity-theoretic treatment of the notion of security for 
KE protocols is due to Bellare and Rogaway p] who formalize the security of ke 
protocols in the realistic setting of concurrent sessions running in an adversary- 
controlled network. As said above, |S! apply the indistinguishability definitional 
approach that we follow here as well. While 0 focused on the shared- key model 
of authentication, other works [iSItttt] extended the techniques to the public-key 
setting. One important contribution of 0 is in noting and fixing a shortcoming 
in the original definition of [S|; this fix, that we adopt here, is fundamental for 
proving our results about secure channels. 
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Bellare, Canetti, and Krawczyk ^ present a model for studying general 
session-oriented security protocols that we adopt and extend here. They also 
introduce the “authenticator” techniques that allow for greatly simplifying the 
analysis of protocols and that we use as a basic tool in our work. In addition, 0 
proposes a definition of security of ke protocols rooted in the simulatability (or 
“ideal third party” ) approach used to define security of multiparty computation 
While this definitional approach is intuitively appealing the actual 
KE security definition of comes short of the expectations. On one hand, it 
seems over-restrictive, in the sense that it rules out protocols that seem to pro- 
vide sufficient security (and as demonstrated here can be safely used to obtain 
secure channels); on the other, it is not clear whether their definition suffices to 
prove composition theorems even in the restricted sense of secure channels as 
dealt with in this paper. 

More recently, Shoup m presents a framework for the definition of security 
of KE protocols that follows the basic simulatability approach as in but intro- 
duces significant modifications in order to overcome some of the shortcomings of 
the KE definition in ^ as well as to seek composability with other cryptographic 
applications. In particular, m states as a motivational goal the construction of 
“secure sessions” (similar to our secure channels), and it informally claims the 
sufficiency of its definitions to achieve this goal. A more rigorous and complete 
elaboration of that work will be needed to assess the correctness of these claims. 
In addition, IS! differs from our work in several other interesting aspects. In 
order to keep this introduction short, we provide a more extensive comparison 

with in Appendix El 

A promising general approach for the analysis of reactive protocols and their 
concurrent composition has been developed by Pfitzmann, Schunter and Waid- 
ner and Canetti m This approach, that follows the simulatability 

tradition, can be applied to the task of key exchange to obtain a definition 
of KE protocols that guarantees secure concurrent composition with any set of 
protocols that make use of the generated keys. See more details in PI- 

A subjective discussion. The above works follow two main distinct ap- 
proaches to defining security of ke protocols: simulation-based and indistingui- 
shability-based. The former is more intuitively appealing (due to its modeling 
of security via an ideally-trusted third party), and also appears to be more 
amenable to demonstrating general composability properties of protocols. On 
the other hand, the complexity of the resulting definitions, once all details are 
filled in, is considerable and makes for definitions that are relatively complex to 
work with. In contrast, the indistinguishability-based approach yields definitions 
that are simpler to state and easier to work with, however their adequacy for 
modeling the task at hand seems less clear at first glance. The results in this 
paper indicate the suitability of the indistinguishability-based approach in the 
context of ke protocols — if the goal is the application of ke protocols to the 
specific task of secure channels as defined here. By following this approach we 
gain the benefit of simpler analysis and easier-to-write proofs of security. At the 
same time, our work borrows from the simulation-based approach the modu- 
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larity of building proofs via the intermediate ideally-authenticated links model, 
thus enjoying the “best of both worlds” . 

Organization. Due to lack of space, the presentation here is kept at an 
informal level, and omits some important pieces. A complete and rigorous treat- 
ment, including model details and proofs, appears in [1 dj . Section El presents an 
overview of the protocol and adversary models used throughout this work. The 
definition of SK-security for ke protocols is presented in Section 01 Section 01 
states the security of sample protocols. Section 01 demonstrates the suitability 
of our notion of security to realizing secure channels. 

2 Protocol and Adversary Models: An Overview 

In order to to define what is meant by the security of a key-exchange (ke) pro- 
tocol we first need to establish a formalism for the most basic notions: what is 
meant by a protocol in general and a key-exchange protocol in particular, what 
are sessions, and what is an ‘attacker’ against such protocols. Here we use a 
formalism based on the approach of |2| , where a general framework for studying 
the security of session-based multi-party protocols over insecure channels is in- 
troduced. We extend and refine this formalism to better fit the needs of practical 
KE protocols. 

In order to motivate and make the formalism easier to understand, we start 
by providing a high-level overview of our model. The precise technical description 
appears in EI3- After introducing the protocol and adversary models we proceed 
to define the security of ke protocols in Section 0 



2.1 Protocols, Sessions and Key- Exchange 

Message-driven protocols. We consider a set of parties (probabilistic polyno- 
mial-time machines), which we usually denote by Pi, . . . , P„, interconnected by 
point-to-point links over which messages can be exchanged. Protocols are collec- 
tions of interactive procedures, run concurrently by these parties, that specify 
a particular processing of incoming messages and the generation of outgoing 
messages. Protocols are initially triggered at a party by an external “call” and 
later by the arrival of messages. Upon each of these events, and according to 
the protocol specification, the protocol processes information and may generate 
and transmit a message and/or wait for the next message to arrive. We call 
these message-driven protocols. (We note the asynchronous nature of protocols 
defined in this way which reflects the prevalent form of communication in today’s 
networks.) 

Sessions and protocol output. Protocols can trigger the initiation of sub- 
protocols (i.e. interactive subroutines) or other protocols, and several copies of 
such protocols may be simultaneously run by each party. We call each copy of 
a protocol run at a party a session. Technically, a session is an interactive sub- 
routine executed inside a party. Each session is identified by the party that runs 
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it, the parties with whom the session communicates and by a session-identifier. 
These identifiers are used in practice to bind transmitted messages to their cor- 
responding sessions. Each invocation of a protocol (or session) at a given party 
creates a local state for that session during execution, and produces local out- 
puts by that party. This output can be a quantity (e.g a session key) returned 
to the calling program, or it can be the recording of a protocol event (such as 
a successful or failed termination). These local outputs serve to represent the 
“history” of a protocol and are important to formalize security. When a session 
ends its run we call it complete and assume that its local state is erased. 

Key-exchange protocols. Key-exchange (ke) protocols are message-driven 
protocols (as defined above) where the communication takes place between pairs 
of parties and which return, upon completion, a secret key called a session key. 
More specifically, the input to a ke protocol within each party Pi is of the form 
{Pi^ Pj, s,role), where Pj is the identity of another party, s is a session id, and 
role can be either initiator or responder. A session within Pi and a session within 
Pj are called matching if their inputs are of the form (P^, Pj, s, initiator) and 
(Pj, Pi, s, responder). The inputs are chosen by a “higher layer” protocol that 
“calls” the ke protocol. We require the calling protocol to make sure that the 
session id’s of no two ke sessions in which the party participates are identical. 
Furthermore, we leave it to the calling protocol to make sure that two parties 
that wish to exchange a key will activate matching sessions. Note that this may 
require some communication before the actual ke sessions are activated.^ 

Upon activation, the partners Pi and Pj of two matching sessions exchange 
messages (the initiator goes first), and eventually generate local outputs that 
include the name of the partners of the session, the session identifier, and the 
value of the computed session key. A key establishment event is recorded only 
when the exchange is completed (this signals, in particular, that the exchanged 
key can be used by the protocol that called the ke session). We note that a 
session can be completed at one partner but not necessarily at the other. 

After describing these ‘mechanics” of a ke protocol we need to define what 
is meant by a “secure” ke protocol. This is the subject of Section 0| and it is 
based on the adversarial model that we introduce next. 



2.2 The Unauthenticated-Links Adversarial Model (um) 



In order to talk about the security of a protocol we need to define the adversarial 
setting that determines the capabilities and possible actions of the attacker. We 
want these capabilities to be as generic as possible (as opposed to, say, merely 
representing a list of possible attacks) while not posing unrealistic requirements. 
We follow the general adversarial formalism of 0 but specialize and extend it 

^ Indeed, in practice protocols for setting up a secure session typically exchange some 
messages before the actual cryptographic key-exchange starts. The IKE protocol of 
the IPSEC standard is a good example 121. 



Key- Exchange Protocols and Their Use for Building Secure Channels 459 



here for the case of ke protocols. Using the terminology of [2| we call this model 
the Unauthenticated Links Model (um). 

Basic attacker capabilities. We consider a probabilistic polynomial-time 
(ppt) attacker that has full control of the communications links: it can listen to 
all the transmitted information, decide what messages will reach their destination 
and when, change these messages at will or inject its own generated messages. 
The formalism represents this ability of the attacker by letting the attacker be 
the one in charge of passing messages from one party to another. The attacker 
also controls the scheduling of all protocol events including the initiation of 
protocols and message delivery. 

Obtaining secret information. In addition to these basic adversarial ca- 
pabilities (given “for free” to the attacker), we let the attacker obtain secret 
information stored in the parties memories via explicit attacks. We consider all 
the secret information stored at a party as potentially vulnerable to break-ins 
or other forms of leakage. However, when defining security of a protocol it is 
important to guarantee that the leakage of some form of secret information has 
the least possible effect on the security of other secrets. For example, we will 
want to guarantee that the leakage of information specific to one session (such 
as the leakage of a session key or ephemeral state information) will have no 
effects on the security of other sessions, or that even the leakage of crucial long- 
term secrets (such as private keys) that are used across multiple sessions will not 
necessarily compromise secret information from all past sessions. In order to be 
able to differentiate between various vulnerabilities and to be able to guarantee 
as much security as possible in the event of information exposures, we classify 
attacks into three categories depending on the type of information accessed by 
the adversary: 

Session-state reveal. The attacker provides the name of a party and a session 
identifier of a yet incomplete session at that party and receives the internal state 
of that session (since we see sessions as procedures running inside a party then 
the internal state of a session is well defined). An important point here is what 
information is included in the local state of a session. We leave this to be specified 
by each ke protocol. Therefore, our definition of security is parameterized by the 
type and amount of information revealed in this attack. For instance, the infor- 
mation revealed in this way may be the exponent x used by a party to compute 
a value in a Diffie-Hellman key-exchange protocol, or the random bits used 
to encrypt a quantity under a probabilistic encryption scheme during a session. 
Typically, the revealed information will include all the local state of the session 
and its subroutines, except for the local state of the subroutines that directly 
access the long-term secret information, e.g. the local signature/decryption key 
of a public-key cryptosystem, or the long-term shared key. 

Session-key query. The attacker provides a party’s name and a session identifier 
of a completed session at that party and receives the value of the key generated 
by the named session This attack provides the formal modeling for leakage of 
information on specific session keys that may result from events such as break- 
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ins, cryptanalysis, careless disposal of keys, etc. It will also serve, indirectly, 
to ensure that the unavoidable leakage of information produced by the use of 
session keys in a security application (e.g., information leaked on a key by its 
use as an encryption key) will not help in deriving further information on this 
and other keys. 

Party corruption. The attacker can decide at any point to corrupt a party, in 
which case the attacker learns all the internal memory of that party including 
long-term secrets (such as private keys or master shared keys used across differ- 
ent sessions) and session-specific information contained in the party’s memory 
(such as internal state of incomplete sessions and session-keys corresponding to 
completed sessions). Since by learning its long term secrets the attacker can 
impersonate a party in all all its actions then a party is considered completely 
controlled by the attacker from the time of corruption and can, in particular, 
depart arbitrarily from the protocol specifications. 

Terminology: if a session is subject to any of the above three attacks (i.e. a 
session-state reveal, a session-key query or the corruption of the party holding 
the session) then the session is called locally exposed. If a session or its matching 
session is locally exposed then we call the session exposed. 

Session expiration. One important additional element in our security model 
is the notion of session expiration. This takes the form of a protocol action that 
when activated causes the erasure of the named session key (and any related 
session state) from that party’s memory. We allow a session to be expired at 
one party without necessarily expiring the matching session. The effect of this 
action in our security model is that the value of an expired session key cannot be 
found via any of the above attacks if these attacks are performed after the session 
expired. This has two important consequences: it allows us to model the common 
(and good) security practice of limiting the life-time of individual session keys 
and it allows for a simple modeling of the notion of perfect forward secrecy (see 
Section IHJ. We note that in order for a session to be locally exposed (as defined 
above) the attack against the session must happen before the session expires. 

Bootstrapping the security of key-exchange protocols. Key-exchange 
protocols, as other cryptographic applications, require the bootstrapping of se- 
curity (especially for authentication) via some assumed-secure means. Examples 
include the secure generation of parties’ private keys, the installation of public 
keys of other parties, or the installation of shared “master” keys. Here too we 
follow the approach of 0 where the bootstrapping of the authentication func- 
tions is abstracted into an initialization function that is run prior to the initiation 
of any key-exchange protocol and that produces in a secure way (i.e. without 
adversarial participation) the required (long-term) information. By abstracting 
out this initial phase we allow for the combination of different protocols with 
different initialization functions: in particular, it allows our analysis of protocols 
(such as Diffie-Hellman) to be applicable under the two prevalent settings of 
authentication: symmetric and a-symmetric authentication. Two points to note 
are (1) the specification of the initialization function is part of the definition 
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of each ke protocol; and (2) secret information generated by this function at a 
given party can be discovered by the attacker only upon corruption of that party. 
We stress that while this abstraction adds to the simplicity and applicability of 
our analysis techniques, the bootstrapping of security in actual protocols is an 
element that must be carefully analyzed (e.g., the interaction with a CA in the 
case of public-key based protocols). Integrating these explicit elements into the 
model can be done either directly as done in inn, or in a more modular way via 
appropriate protocol composition. 



2.3 The AM, Protocol Emulation and Authenticators 

A central ingredient in our analyses is the methodology introduced in by which 
one can design and analyze a protocol under the highly-simplifying assumption 
that the attacker cannot change information transmitted between parties, and 
then transform these protocols and their security assurance to the realistic UM 
where the adversary has full control of the communication links. The main com- 
ponents in the formalization of this methodology are shortly described here (see 
^I13j for complete details). 

First, an adversarial model called authenticated-links model (denoted am) is 
defined in a way that is identical to the UM with one fundamental difference: 
the attacker is restricted to only deliver messages truly generated hy the parties 
without any change or addition to them. Then, the notion of “emulation” is 
introduced in order to capture the equivalence of functionality between protocols 
in different adversarial models, in particular between the UM and AM. Roughly 
speaking, a protocol tt' emulates protocol tt in the UM if for any adversary that 
interacts with tt' in the UM there exists an adversary that interacts with tt in 
the AM such that the two interactions “look the same” to an outside observer. 
Finally, special algorithms called authenticators are developed with the property 
that on input the description of a protocol tt the authenticator outputs the 
description of a protocol tt' such that tt' emulates protocol tt in the UM. That 
is, authenticators act as an automatic “compiler” that translate protocols in the 
AM into equivalent (or “as secure as”) protocols in the UM. 

In order to simplify the construction of authenticators, | 2 | offers the following 
methodology. First consider a very simple one-flow protocol in the AM, called 
MT, whose sole functionality is to transmit a single message from sender to 
recipient. Now build a restricted-type authenticator, called MT-authenticator, 
required to provide emulation for this particular MT protocol only. Finally, to 
any such MT-authenticator A one associates an algorithm (or compiler) C\ that 
translates any input protocol tt into another protocol tt' as follows: to each of 
the messages defined in protocol tt apply the MT-authenticator A. It is proven 
in 0 that C\ is an authenticator (i.e., the resultant protocol tt' emulates tt in 
the Um). Particular realizations of MT-authenticators are presented in j2] based 
on different type of cryptographic functions (e.g., digital signatures, public-key 
encryption, MAC, etc.) 
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3 Session-Key Security 

After having defined the basic formal model for key-exchange protocols and 
adversarial capabilities, we proceed to define what is meant for a key-exchange 
protocol to be secure. While the previous section was largely based on the work of 
0, our definition of security closely follows the definitional approach of jS]- The 
resultant notion of security, that we call session-key security (or SK-security), 
focuses on ensuring the security of individual session-keys as long as the session- 
key value is not obtained by the attacker via an explicit key exposure (i.e. as long 
as the session is unexposed - see the terminology in the previous section). We 
want to capture the idea that the attacker “does not learn anything about the 
value of the key” from interacting with the key-exchange protocol and attacking 
other sessions and parties. As it is standard in the semantic-security approach 
this is formalized via the infeasibility to distinguish between the real value of 
the key and an independent random value. 

We stress that this formulation of SK-security is very careful about tuning 
the definition to offer enough strength as required for the use of key-exchange 
protocols to realize secure channels (Section EJ, as well as being realistic enough 
to avoid over-kill requirements which would prevent us from proving the security 
of very useful protocols (Section 0. We further discuss these aspects after the 
presentation of the definition. 

3.1 Definition of SK-Security 

We first present the definition for the UM. The formalization in the AM is anal- 
ogous. We start by defining an “experiment” where the attacker 14 chooses a 
session in which to be “tested” about information it learned on the session-key; 
specifically, we will ask the attacker to differentiate the real value of the chosen 
session key from a random value. (Note that this experiment is an artifact of 
the definition of security, and not an integral part of the actual key-exchange 
protocols and adversarial intervention.) 

For the sake of this experiment we extend the usual capabilities of the ad- 
versary, 14, in the UM by allowing it to perform a test-session query. That is, in 
addition to the regular actions of 14 against a key-exchange protocol tt, we let 
14 to choose, at any time during its run, a test-session among the sessions that 
are completed, unexpired and unexposed at the time. Let k be the value of the 
corresponding session- key. We toss a coin b, & A {0,1}. If b = 0 we provide 14 
with the value k. Otherwise we provide 14 with a value r randomly chosen from 
the probability distribution of keys generated by protocol tt. The attacker 14 is 
now allowed to continue with the regular actions of a UM-adversary but is not 
allowed to expose the test-session (namely, it is not allowed session-state reveals, 
session-key queries, or partner’s corruption on the test-session or its matching 
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sessionl^ At the end of its run, U outputs a bit b' (as its guess for h). 

We will refer to an attacker that is allowed test-session queries as a KE-adversary. 

Definition 1. A ke protocol tt is called SK-secure if the following properties 
hold for any KE-adversary U in the UM. 

1. Protocol TT satisfies the property that if two uncorrupted parties complete 
matching sessions then they both output the same key; and 

2. the probability that U guesses correctly the bit b (i.e., outputs b' = b) is no 
more than 1/2 plus a negligible fraction in the security parameter. 

If the above properties are satisfied for all KE-adversaries in the AM then we say 
that TT is SK-secure in the AM. 

The first condition is a “consistency” requirement for sessions completed by 
two uneorrupted parties. We have no requirement on the session-key value of a 
session where one of the partners was corrupted before the session completed 
- in fact, most ke protocols allow a corrupted party to strongly influence the 
exchanged key. The second condition is the “core property” for SK-security. We 
note that the term ‘negligible’ refers, as customary, to any function (in the secu- 
rity parameter) that diminishes asymptotically faster than any polynomial frac- 
tion. (This formulation allows, if so desired, to quantify security via a concrete 
security treatment. In this case one quantifies the attacker’s power via specific 
bounds on computation time, number of corruptions, etc., while its advantage 
is bounded through a specific parameter e.) 

Discussion. We highlight three aspects of Definition Q1 

— The attacker can keep running and attacking the protocol even after receiv- 
ing the response (either real or random) to its test-session query. This ability 
(which represents a substantial strengthening of security relative to jS], see 
also ^) is essential for proving the main property of SK-security shown in 
this paper, namely its guarantee of security when used to generate secure 
channels as described in Section 0 

— The attacker is not allowed to corrupt partners to the test-session or issue any 
other exposure command against that session while unexpired. This reflects 
the fact that there is no way to guarantee the secure use of a session-key 
that was exposed via an attacker’s break-in (or cryptanalysis) . In particular, 
this restriction is instrumental for proving the security of specific important 
protocols (e.g., Diflie-Hellman key exchange) as done in Section 0 

— The above restriction on the attacker by which it cannot corrupt a partner 
to the test-session is lifted as soon as the session expires at that partner. In 
this case the attacker should remain unable to distinguish between the real 

^ We stress, however, that the attacker is allowed to corrupt a partner to the test- 
session as soon as the test-session (or its matching session) expires at that party. 
See the discussion below. This may be the case even if the other partner has not yet 
expired the matching session or not even completed it. 
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value of the key from a random value. This is the basis to the guarantee of 
“perfect forward secrecy” provided by our definition and further discussed 
in Section E21 

We stress that in spite of its “compact” formulation Definition [D is very 
powerful and can be shown to ensure many specific properties that are required 
from a good key-exchange protocol (see, for example, chapter 12 of PH])- Some 
of these properties include the guarantee that session-keys belong to the right 
probability distribution of keys (except if one of the partners is corrupted at 
time of exchange), the “authenticity” of the exchange (namely, a correct and 
consistent binding between keys and parties’ identities), resistance to man-in-the- 
middle attacks (for protocols proven SK-secure in the UM), resistance to known- 
key attacks, forward secrecy, and more. However, we note that all these properties 
(which are sometimes listed as a replacement to a formal definition of security) 
in combination do not suffice to guarantee the most important aspect of key- 
exchange security that SK-security enjoys: namely, the composition of the key- 
exchange protocols with cryptographic functions to enable secure channels (e.g., 
the original definition of security in jSj does satisfy the above list of properties 
but is insufficient to guarantee secure channels). 

We finally remark that Definition Q makes security requirements from a ke 
protocol only in case that the protocol completes KE-sessions. No guarantee is 
made that KE-sessions will ever return, or that they will not be aborted, i.e., 
that the corresponding session key will not be null. (In fact, a ke protocol where 
all KE-sessions “hang” and never return satisfies the definition.) One can add an 
explicit termination requirement for sessions in which the parties are uncorrupted 
and all messages are correctly delivered by the attacker. For simplicity, we choose 
to leave the analysis of the termination properties of protocols out of the scope 
of the definition of security. 



3.2 Forward Secrecy 

Informally, the notion of "perfect forward secrecy” (pfs) is stated as the 

property that “compromise of long-term keys does not compromise past session 
keys” . In terms of our formalism this means that even if a party is corrupted (in 
which case all its stored secrets - short-term and long-term - become known to 
the attacker) then nothing is learned about sessions within that party that were 
previously unexposed and expired before the party corruption happened. 

The provision that expired session-keys remain indistinguishable from ran- 
dom values even if a partner to that session is corrupted guarantees the perfect 
forward secrecy of SK-secure protocols. Put in other words, when proving a pro- 
tocol to be SK-secure using Definition ^one automatically gets a proof that that 
protocol guarantees pfs. 

On the other hand, while pfs is a very important security property it is not 
required for all application scenarios, e.g., when only authentication is required, 
or when short-term secrecy suffices. Indeed, it is common to find in practice 
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protocols that do not provide pfs and still are not considered insecure. One such 
typical case are “key-transport protocols” in which public key encryption is used 
to communicate a session-key from one party to another. (In this case, even if 
session-keys are erased from memory when no longer required, the corruption of 
a party may allow an attacker to compute, via the discovered long-term private 
keys, all the past session- keys.) Due to the importance of such protocols (they 
are commonly used in, e.g., SSL), and given that achieving pfs usually has a 
non-negligible computational cost, we define a notion of “SK-security without 
pfs” by simply disallowing the protocol’s action of key expiration. That is, under 
this modified model, session-keys never expire. This results in a weaker notion 
of security since now by virtue of Definition Q the attacker is never allowed to 
corrupt a partner to the test-session (or in other words, this weaker definition 
of security does not guarantee the security of a session-key for which one of the 
partners is ever corrupted). 

Definition 2. We say that a ke protocol satisfies SK-security without pfs if it 
enjoys SK-security relative to any KE-adversary in the UM that is not allowed 
to expire keys. (Similarly, if the above holds for any such adversaries in the AM 
then we say that tt is SK-secure without pfs in the AM.^ 

4 SK-Secure Protocols 

This section demonstrates the usability of our definition of SK-security for prov- 
ing the security of some simple and important key-exchange protocols. One is the 
original Difhe-Hellman protocol, the other is a simple “key transport” protocol 
based on public-key encryption. We first show that these protocols are secure in 
the simpler authenticated- links model (am). Then, using the methodology from 
0 we can apply to these protocols a variety of (symmetric or asymmetric) au- 
thentication techniques to obtain key-exchange protocols that are secure in the 
realistic UM model. Namely, applying any MT-authenticator (see Section to 
the messages of the AM-protocol results in a secure ke protocol in the UM The 
next Theorem (proven in m) states that this methodology does work for our 
purposes. 

Theorem 1. Let tt be a SK-secure key-exchange protocol in the AM with PFS 
(resp., without pfs^ and let A be an authenticator. Then tt' = C\{tt) is a SK- 
secure key-exchange protocol in the UM with pfs (resp., without pfs/ 

For lack of space we only describe here the protocol based on Difhe-Hellman ex- 
change. The key-transport protocol based on public- key encryption is presented 
and analyzed in H31. 

4.1 Two-Move Diffie-Hellman 

We demonstrate that under the Decisional Difhe-Hellman (DDH) assumption 
the ‘classic’ two-move Difhe-Hellman key-exchange protocol designed to work 



466 



Ran Canetti and Hugo Krawczyk 



against eavesdroppers-only is SK-secure in the AM. We denote this protocol by 
2dh and describe it in Figure Q] Here and in the sequel all exponentiations are 
modulo the defined prime p. 



Protocol 2dh 

Common information: Primes p,q, q/p—1, and g of order q in Z*. 

Step 1: The initiator, Pi, on input (Pi,Pj,s), chooses x ^ Zq and sends 
{Pi,s,a = g^) to Pj. 

Step 2: Upon receipt of (Pi, s, a) the responder, Pj, chooses y A Zq, sends 
{Pj, s,j3 = g^) to Pi, erases y, and outputs the session key 7 = under 
session-id s. 

Step 3: Upon receipt of (Pj,s,P), party Pi computes 7' = / 3 ^ , erases x, 
and outputs the session key 7' under session-id s. 

Fig. 1. The two-move Diffie-Hellman protocol in the AM 



Theorem 2. Assuming the Decisional Diffie-Hellman (DDH) assumption, pro- 
tocol 2dh is SK-secure in the AM. 

Using Theorem n we can apply any authenticator to this protocol to obtain 
a secure Diffie-Hellman exchange against realistic UM attackers. For illustration, 
a particular instance of such a SK-secure protocol in the UM, using digital signa- 
tures for authentication, is shown in Section 0 Other flavors of authenticated 
DH protocols can be derived in a similar way by using other authenticators (e.g. 
based on public key encryption or on pre-shared keys PI). 

4.2 SK-Secure DifRe-Hellman Protocol in the UM 

Here we apply the signature-based authenticator of P| to the protocol 2dh from 
Figure Qto obtain a Diffie-Hellman key-exchange that is SK-secure in the UM. 
We present the resultant protocol in Figure 0 (it is very similar to a protocol 
specified in P3). Its SK-security follows from Theorems |T] and H 

Remarks on protocol SIG-dh. The protocol is the result of applying the 
signature-based authenticator of j2( to the 2-pass Diffie-Hellman protocol of Fig- 
ure n where the values a and j3 (the DH exponentials) serve as the challenges 
required by the signature-based authenticator. This assumes (as specified in 
protocol 2dh) that these exponentials are chosen afresh for each new exchange 
(otherwise each party can add an explicit nonce to the messages which is also 
included under the signature) . We note that the identity of the destination party 
included under the signatures is part of the specification of the signature-based 
authenticator of 0 and is fundamental for the security of the protocol. 

The description of SIG-dh in Figure El assumes, as formalized in our model, 
that the value s of the session-id is provided to the parties. In practice, one 
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Protocol SIG-DH 

Initial information: Primes p, q, q/p—1, and g of order q in Z*. Each player 

has a private key for a signature algorithm SIG, and all have the public 

verification keys of the other players. 

Step 1: The initiator, Pi, on input (Pi,Pj,s), chooses x ^ Zq and sends 
{Pi,s,a = g^) to Pj. 

Step 2: Upon receipt of (Pi,s,a) the responder, Pj, chooses y A Zq, and 
sends to Pi the message {Pj,s,j3 = g^) together with its signature 
SlGj{Pj , s, I3,a, Pi)-, it also computes the session key 7 = 0^ and erases 

y- 

Step 3: Upon receipt of {Pj,s,j3) and Pj’s signature, party Pi verifies 
the signature and the correctness of the values included in the sig- 
nature (such as players identities, session id, the value of exponen- 
tials, etc.). If the verification succeeds then Pi sends to Pj the message 
(Pi, s, SiGj{Pi, s, a, /3, Pj)), computes 7' = , erases x, and outputs the 

session key 7' under session-id s. 

Step 4: Upon receipt of the triple {Pi, s, sig), Pj verifies Pi’s signature sig 
and the values it includes. If the check succeeds it outputs the session 
key 7 under session-id s. 

Fig. 2. Diffie-Hellman protocol in the UM: authentication via signatures. 



usually generates the session identifier s as a pair (si,S2) where si is a value 
chosen by Pi and different (with very high probability) from all other such values 
chosen by Pi in his other sessions with Pj. Similarly, S2 is chosen by Pj with 
an analogous uniqueness property. These values Si,S2 can be exchanged by the 
parties as a prologue to the above protocol (this may be the case of protocols 
that implement such a prologue to exchange some other system information and 
to negotiate exchange parameters; see for example 123]). Alternatively, si can be 
included by Pi in the first message of SIG-dh, and S2 be included by Pj in the 
second message. In any case, it is important that these values be included under 
the parties’ signatures. 



5 Applications to Secure Channels 

It is common practice to protect end-to-end communications by letting the end 
parties exchange a secret session key and then use this key to authenticate and 
encrypt the transmitted data under symmetric cryptographic functions. In order 
for a key-exchange protocol to be considered secure it needs to guarantee that the 
above strategy for securing data works correctly, namely, that by using a shared 
key provided by the ke protocol one achieves sound authentication and secrecy. 
As it is customary, we will refer to a link between a pair of parties that achieves 
these properties as a secure channel. While secure channels may have different 
formalizations, here we restrict our treatment to the above setting of securing 
communications using symmetric cryptography with a key derived from a key- 
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exchange protocol. We prove that an SK-secure key-exchange protocol, together 
with a secure MAC and symmetric encryption appropriately combined, suffices 
for realizing such secure channels. 

For lack of space, this extended abstract contains only our treatment of the 
task of authenticating the communication. Full treatment, including the task of 
providing secrecy (both in the AM and in the UM) appears in 1 1 dj . 

A Template Protocol: Network Channel. We start by formalizing a “tem- 
plate protocol” that captures a generic session-oriented KE-based protocol for 
secure channels between pairs of parties in a multi-party setting with parties 
Pi, ... , P„. This template protocol, called NetChan, applies to the unauthentica- 
ted-links model UM as well as to the authenticated-links model AM. Later we 
will see specific implementations of this template protocol where the generic 
‘send’ and ‘receive’ primitives defined there are instantiated with actual func- 
tions (e.g., for providing authentication and/or encryption). We will also define 
what it means for such an implementation to be “secure” . 

A (session-based) network channel protocol, NetChan(7r, snd, rev), is defined on 
the basis of a ke protocol tt, and two generic functions snd and rev. (A more 
general treatment can be obtained by considering these functions as interac- 
tive protocols but we leave this more general approach beyond the scope of the 
present paper.) Both snd and rev are probabilistic functions that take as argu- 
ments a session-key (we denote this key as a subscript to the function) and a 
message m. The functions may also depend on other session information such as 
a session-id and partner identifiers. The output of snd is a single value m' , while 
the output of rev is a pair (v, ok) where ok is a bit and v an arbitrary value. (The 
bit ok will be used to return a verification value, e.g. the result of verifying an 
authentication tag.) On the basis of such functions we define NetChan(7r, snd, rev) 
in Figure 01 

Network Authentication. On the basis of the above formalism, we treat 
the case of network channels that provide authentication of information over 
adversary-controlled channels. Namely, we are interested in a NetChan protocol 
that runs in the unauthenticated- links model UM and yet provides authenticity of 
transmitted messages. This implementation of NetChan (which we call NetAut) 
will be aimed at capturing the practice by which communicating parties use 
a key-exchange protocol to establish a shared session key, and use that key 
to authenticate (via a message authentication function, MAC) the information 
exchanged during that session. Namely, if Pi and Pj share a matching session s 
and Pi wants to send a message m to Pj during that session then Pi transmits 
m together with MAC„(m) where k is the corresponding session key. Thus, in 
this case we will instantiate the snd and rev functions of NetChan with a MAC 
function as follows. 

Protocol NetAut. Let tt be a ke protocol and let / be a MAC function. Pro- 
tocol NetAut(7T, /) is protocol NetChan(7r, snd, rev) as defined in Figure^ where 
functions snd and rev are defined as: 

— On input m, snd„(m) produces output m' = (jn,t) = {m, fk{m)). 
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Protocol NetChan(7T, snd, rev) 

NetChan(7r, snd, rev) is initialized with the same initialization function I of 
the KE protocol tt. It can then be invoked within a party Pi under the 
following activations: 

1. establish-session(Pi, , s, role)', this triggers a KE-session under tt within 
Pi with partner Pj, session-id s and role £ {initiator, responder}. If 
the KE-session completes Pi records in its local output “established 
session s with Pj” and stores the generated session key. 

2. expi re-session (Pi, Pj, s): Pi marks session (Pi,Pj,s) (if it exists at Pi) 
as expired and the session key is erased. Pi records in its local output 
“session s with Pj is expired”. 

3. send(Pi, Pj, s, m): Pi checks that session (Pi,Pj,s) has been completed 
and not expired, if so it computes m! = sndK(?n), using the correspond- 
ing session key k, sends {Pi,s,m') to Pj, and records “sent message 
m to Pj within session s” in the local output. 

4. On incoming message {Pj , s,m'), Pi checks that the session {Pi,Pj,s) 
has been completed and not expired, if so it computes (m, ok) = 
rcvre(m') under the corresponding session key n. If ok = 1 then Pi 
records “received message m from Pj within session s.” If ok = 0 
then no further action is taken. 

Fig. 3. A generic network channels protocol 



— On input m', rcv„(m') outputs (u,ok) as follows. If m! is of the form {m,t), 
and the pair (m, t) passes the verification function of / under key k, then 
ok = 1 and v = m. Otherwise, ok = 0 and v = null. 

In order to simplify and shorten presentation we assume that no two send activa- 
tions within a session contain the same message. One can easily implement this 
assumption by specifying that the sender concatenates to the message a unique 
message id. In the cases where we care about preventing replay of messages by 
the attacker (as it is usually the case when providing message authentication) 
then message id’s need to be specified in a way that the receiver can check their 
uniqueness (in this case sender and receiver maintain a shared state). 

Our goal is to show that if the key-exchange protocol tt is SK-secure and the 
MAC function / is secure (against chosen-message attacks) then the resultant 
network channels protocol NetAut(7r, /) provides authenticated transmission of 
information. This requirement can be formulated under the property that “any 
message recorded by Pj as received from Pj has been necessarily recorded as sent 
by Pj, except if the pertinent session is exposed”. We will actually strengthen 
this requirement and ask that a network channels protocol provides authenti- 
cation if it emulates (i.e. imitates) the transmission of messages in the ideally 
authenticated-links model AM. Formally, we do so using the notion of protocol 
emulation and the formalization (see Section 12.311 of the message transmission 
protocol (mt) in the AM as done in |2| . Recall that mt is a simple protocol that 
defines the transmission of individual messages in the AM. Here we extend the 
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basic definition of mt to a session-based message transmission protocol called 
SMT. By proving that the network channels protocol NetAut emulates SMT in the 
UM we get the assurance that transmitting messages over unauthenticated-links 
using NetAut is as secure as transmitting them in the presence of an attacker 
that is not allowed to change or inject messages over the communication links. 

The SMT protocol. We extend protocol mt from P] to fit our session-based 
setting in which transmitted messages are grouped into different sessions. We call 
the extended protocol a session-based message transmission protocol (smt), and 
define it in Figure El Note the structural similarity between SMT and NetChan - 
the differences are that no actual key-exchange is run in SMT, and the functions 
snd and rev are instantiated to simple “identity functions”. 



Protocol SMT 

Protocol SMT can be invoked within a party Pi under the following activa- 
tions: 

1. establish-session(Pi, P, , s): in this case Pi records in its local output 
“established session s with Pj”. 

2. expi re-session (Pi, Pj, s): in this case Pi records in its local output 
“session s with Pj is expired”. 

3. send(Pi, Pj, s, m): in this case Pi checks that session (Pi, Pj, s) has been 
established and not expired, if so it sends message m to Pj together 
with the session-id s (i.e., the values m and s are sent over the ideally- 
authenticated link between Pi and P,); Pi records in its local output 
“sent message m to Pj within session s” . 

4. On incoming message (m, s) received over its link from Pj, Pi checks 
that session (Pi, Pj, s) is established and not expired, if so it records in 
the local output “received message m from Pj within session s”. 

Fig. 4. SMT: The session-based mt protocol in the AM. 



Protocol SMT represents a perfectly authenticated exchange of messages. An 
implementation of protocol NetChan is said to be a secure network authentication 
protocol if it emulates (see Section IT!Tll protocol SMT in the UM. 

Definition 3. Protoeol NetChan(7r, snd, rev) is called a secure network authenti- 
cation protocol if it emulates protocol SMT in the UM. 

The following theorem is proven in nn|: 

Theorem 3. If tt is a SK-secure key-exchange protocol in the UM and snd, rev 
are based as described above on a MAC function f that is secure against chosen 
message attacks, then protocol NetAut(7r, snd, rev) is a secure network authenti- 
cation protocol. 

Network Encryption and Secure Channels Protocols. For lack of space, 
we omit from this extended abstract two basic components in our work (the 
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complete treatment appears in m)- One is the formalization of a network en- 
cryption protocol and its security, the other is the definition of a secure channels 
protocol. These formalizations are based, as in the case of the network authenti- 
cation protocol, on the above generic network channels template. In the case of 
the network encryption protocol, security (in the sense of secrecy) is formulated 
following the indistinguishability approach. Secure channels are then defined as 
network channel protocols that are simultaneously secure network authentica- 
tion and secure network encryption protocols. Implementations of such secure 
protocols are presented using SK-secure key-exchange protocols and secure en- 
cryption and authentication functions. One particularly interesting aspect of our 
work is highlighted by recent results in [251 where it is demonstrated that the 
specific ordering of encryption and authentication as applied here is instrumental 
for achieving secure channels (if one assumes the standard strength, i.e. against 
chosen-plaintext attacks, of the encryption function) . As it turns out other com- 
mon orderings of these functions do not guarantee secure channels in this case 
(even if the ke protocol in use is secure). 
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A A Comparison with [l34l| 

Section I I . 1 1 mentioned the work by Shoup on definitions and analysis of ke 
protocols. This appendix further expands on some of the differences between 
that work and ours. 

We start with a short summary of the relevant parts of M- Shoup ’s defini- 
tions are based on the simulatability approach of 0 with some significant mod- 
ifications. Three levels of security are presented: Static security (i.e., security 
against adversaries that corrupt parties only at the onset of the computation), 
adaptive security (where the adversary obtains only the long-term information of 
a newly corrupted party) and strongly adaptive security where the adversary ob- 
tains all the private information of corrupted parties. (Oddly, strongly adaptive 
security does not imply adaptive security.) In addition, two definitions based on 
the indistinguishability approach of Bellare and Rogaway jS| are presented. The 
first is aimed at capturing security without perfect forward secrecy (PFS), and 
is shown to be equivalent to the static variant of the simulation-based defini- 
tion. The second is aimed at capturing security with PFS, and is claimed to be 
equivalent to the adaptive variant of the simulation-based definition. Sufficiency 
of the definitions to constructing secure-channel protocols is informally argued, 
but is not proved nor rigorously claimed. 

While the first variant of the indistinguishability-based definition is roughly 
equivalent to the non-PFS variant presented here (modulo the general differences 
mentioned below), the second variant is strictly weaker than our PFS formulation 
of SK-security. Specifically, the definition in m accepts as secure protocols that 
do not erase sensitive ephemeral data (e.g. protocol DHKE-1 in E3|), while the 
definition here treats these protocols as insecure. 

There are several other technical and methodological differences between 
the two works that we mention next, (a) A major methodological difference is 
our use of the authenticated-links model and authenticators as a simplifying 
analysis tool. While our formalization of security does not mandate the use of 
this methodology we carefully build our definitions to accomodate the use of 
this tool, (b) Shoup allows the adversary a more general attack than session-key 
query, namely an application attack that reveals an arbitrary function of the key. 
Our modeling does not define this explicit attack as it turns out to be unnecessary 
for guaranteeing secure channels, (c) Here we consider an additional adversarial 
behavior that is not treated in m- Specifically, we protect against adversaries 
that obtain the internal state of corrupted sessions (even without fully corrupting 
the corresponding parties) by requiring that such exposure will not compromise 
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other protocol sessions run by the same parties. This protection is not guaranteed 
by some protocols suggested in m (e.g., protocol DHKE). (d) The treatment of 
the interaction with the certificate authority (CA). In m the interaction with 
the CA is an integral part of every ke protocol, whereas here this interaction 
with the CA is treated as a separate protocol. We make this choice for further 
modularity and ease of proof. Yet, as we already remarked in Section O the 
CA protocol needs to be taken into consideration with any full specification and 
analysis of actual ke protocols, (e) The treatment of the session-id’s. In the 
session-id’s are artificially given to the parties by the model which results, in our 
view, in a more cumbersome formalization of the security conditions. In contrast, 
here we adopt a more natural approach where the session-id’s are generated 
by the calling protocol and security is guaranteed only when these session-id’s 
satisfy some minimal (and easy to implement) conditions. In particular, this 
formalism can be satisfied by letting the parties jointly generate the session-id 
(as is common in practice). 

Overall, we believe that the approaches in this work and in m are not 
“mutually exclusive” and both can be useful depending on a particular setting 
or even taste. However, for m to be truly useful, and for a full comparison 
and assessment to be possible, many of the missing definition and proof details 
in that work will need to be completed. Especially, rigorous proofs of protocols 
and a definition of secure channels is needed to assess the sufficiency of these 
protocols for providing the basic secure-channels functionality. 
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Abstract. There has been much interest in password-authenticated key- 
exchange protocols which remain secure even when users choose pass- 
words from a very small space of possible passwords (say, a dictionary 
of English words). Under this assumption, one must be careful to design 
protocols which cannot be broken using off-line dictionary attacks in 
which an adversary enumerates all possible passwords in an attempt to 
determine the correct one. Many heuristic protocols have been proposed 
to solve this important problem. Only recently have formal validations of 
security (namely, proofs in the idealized random oracle and ideal cipher 
models) been given for specific constructions ldllUI22l . 

Very recently, a construction based on general assumptions, secure in the 
standard model with human-memorable passwords, has been proposed 
by Goldreich and Lindell im. Their protocol requires no public parame- 
ters; unfortunately, it requires techniques from general multi-party com- 
putation which make it impractical. Thus, im only proves that solutions 
are possible “in principal”. The main question left open by their work 
was finding an efficient solution to this fundamental problem. 

We show an efficient, 3-round, password-authenticated key exchange pro- 
tocol with human-memorable passwords which is provably secure under 
the Decisional Diffie-Hellman assumption, yet requires only (roughly) 8 
times more computation than “standard” Diffie-Hellman key exchange 
m (which provides no authentication at all). We assume public param- 
eters available to all parties. We stress that we work in the standard 
model only, and do not require a “random oracle” assumption. 



1 Introduction 

1.1 Background 

Protocols which allow for mutual authentication of two parties and for gener- 
ating a cryptographically-strong shared key between them {authenticated key 
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exchange) underly most interactions taking place on the Internet. The impor- 
tance of this primitive has been realized for some time by the security commu- 
nity (see CD for exhaustive references), followed by an increasing recognition 
that precise definitions and formalization were needed. The first formal treat- 
ments [4l6l2l2(lhII8l1 1| were in a model in which participants already share some 
cryptographically-strong information: either a secret key which can be used for 
encryption/authentication of messages, or a public key which can be used for 
encryption/signing of messages. The setting arising most often in practice — in 
which (human) users are only capable of storing “human-memorable” passwords 
{pas sword- authenticated key exchange) — remains much less studied, though 
many heuristic protocols exist. Indeed, only recently have formal definitions of 
security for this setting appeared j.'jpi ( )f 22lT7j . 

The problem (in the standard model; i.e., without random oracles) is difficult 
precisely because it requires “bootstrapping” from a weak shared secret to a 
strong one. In fact, it is not even a priori clear that a solution is possible. 
Completeness results for multi-party computation m do not directly apply here 
due to the strong adversarial model considered (see Section EJ . In particular, 
the adversary may ask for concurrent (arbitrarily-interleaved) executions of the 
protocol, may modify messages or even prevent their delivery, may impersonate 
participants in the protocol and act as a “man-in-the-middle” , and may corrupt 
all protocol participants. Nevertheless, in a very recent paper, Goldreich and 
Lindell HD have shown that in principle, this problem is solvable based on 
any trapdoor permutation (leaving open the question of whether a practical 
solution is possible). We show, perhaps somewhat surprisingly, the existence 
of an efficient solution for human-memorable passwords under the Decisional 
Difhe-Hellman assumption. 



1.2 The Adversarial Model 

The setting is as follows (a formal discussion appears in Section H: two par- 
ties within a larger network who share a weak (low-entropy) password wish to 
authenticate each other and generate a strong session key for protecting their 
subsequent communication. An adversary controls all communication in the net- 
work. Thus, messages may be tampered with, delivered out-of-order, or not de- 
livered at all; the adversary may also ask for arbitrarily-interleaved executions of 
the protocol. Finally, the adversary may corrupt selected instances (see below) of 
the participants and obtain the session keys generated by successful executions 
of the protocol. The adversary succeeds if he can cause a participant to compute 
a session key which the adversary can then distinguish from random. 

Since the space of possible passwords is small, an adversary who has mon- 
itored a conversation may enumerate all possible passwords and try to match 
the recorded conversation to each one. As an example, any challenge-response 
protocol in which one party sends challenge N and the other responds with 
/(password, A) is trivially susceptible to this attack, regardless of / (note that 
such an attack is not possible by a poly-time adversary, for appropriate choice 
of /, when the parties share a high- entropy password). Additionally, the fact 
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that the adversary can corrupt instances and determine the actual session key 
means that the protocol must ensure consistency between the recorded conversa- 
tion and these session keys, even while not revealing any information about the 
password. These complications make this problem much harder than the case in 
which participants already share a strong key at the outset of the protocol. 

What does security mean in a model which is inherently insecure? Indeed, 
since passwords are chosen from a small space, an adversary can always try each 
possibility one at a time in an impersonation (on-line) attack. Thus, we say a 
protocol is secure (informally) if this exhaustive guessing is the best an adversary 
can do. For a real-world adversary, such on-line attacks are the hardest to mount, 
and they are also the easiest to detect. It is very realistic to assume that the 
number of on-line attacks an adversary is allowed is severely limited, while other 
attacks (eavesdropping, off-line password guessing) are not. 



1.3 Previous Work 



The problem of off-line attacks in password-authenticated protocols was first 
noted by Bellovin and Merritt [Zj, followed by a flurry of work in the security 
community providing additional solutions with heuristic arguments for their se- 
curity (see El for exhaustive references). More recently, two formal models 
for password-authenticated key exchange have been proposed: one by Bellare, 
Pointcheval, and Rogaway PI, based on m with extensions suggested by El; 
and a second by Boyko, MacKenzie, and Patel pni, following (2| with extensions 
given in PHI- While both models have their advantages, we choose to work in 
the first model and review the appropriate definitions in Sectional 

These models all assume that two parties wishing to communicate share only 
a human-memorable password; in particular, they do not assume a public-key 
infrastructure (PKI) which allows participants to generate and share public keys. 
Definitions for security in this setting have also been proposed p(Will28| and, in 
fact, the first protocols resistant to off-line dictionary attacks were given in this 
model. However, the requirement of a secure PKI is a strong one, and we wish 
to avoid it. 

Only recently have formal validations of security for specific protocols ap- 
peared !M7TI^ . However, these validations are not proofs in the standard model; 
P] relies on ideal ciphers, while fl()l22j rely on random oracles. More recently, 
Goldreich and Lindell El have shown a protocol based on general assumptions 
which is secure in the standard model. Interestingly, in contrast to the present 
work, their protocol does not require public parameters. Unfortunately, their 
construction requires a non-constant number of rounds and also requires tech- 
niques from generic multi-party computation HE!. Thus, their scheme serves as 
a general plausibility result (a terminology coined in m). but is much too inef- 
ficient for practical use. Finally, as pointed out by the authors themselves, the 
solution of HU does not allow for concurrent executions of the protocol between 
parties using the same password. 




478 Jonathan Katz, Rafail Ostrovsky, and Moti Yung 



1.4 Our Contribution 



Security validation via proofs in the random oracle and ideal cipher models are 
useful, as they lend a measure of confidence to protocols whose security would 
otherwise be only heuristic. On the other hand, proofs of security in these models 
do not necessarily translate to real-world security ra, so it is important to have 
proofs under standard cryptographic assumptions. We prove the security of our 
construction using only the Decisional Diffie-Hellman (DDH) assumption. 

Efficiency is especially important in this setting, where security concerns are 
motivated by very practical considerations (human users’ inability to remem- 
ber long secrets). We stress that our scheme, though provably secure, is very 
practical even when compared to heuristically-secure protocols such as or 

the original Diffie-Hellman protocol m (which does not provide any authen- 
tication). Our protocol requires only three rounds and has communication and 
computational complexity only (roughly) 5-8 times greater than the above solu- 
tions. Furthermore, we are able to construct our scheme without making stronger 
assumptions (the DDH assumption is used in |14ldll0| l. 

Although our solution relies on public- key techniques (in fact, this is neces- 
sary HOI) we emphasize that our protocol is not a “public-key solution” (as in 
In particular, we do not require any participant to have a public key, 
but instead rely on one set of common parameters shared by everyone in the 
system. This avoids problems associated with public key infrastructures (such 
as revocation, centralized trust, key management issues, etc.), and also allows 
new servers and clients to join the network at any time during execution of the 
protocol without requiring access to an on-line, centralized (trusted) author- 
ity (in fact, they do not even need to inform anyone else of their presence). 
Furthermore, no participants know the “secret key” associated with the pub- 
lic parameters. This eliminates the risk that compromise of a participant will 
compromise the security of the entire system. 

The construction given here is secure under both the notion of basic security 
and the stronger notion of “forward security” (in the weak corruption model). 
In this initial version we concentrate on basic security only, and leave the topic 
of forward security for the final version. 



2 Model and Definitions 

The reader is assumed to be familiar with the model of |3| , which is the model in 
which we prove security of our protocol. For completeness, we review the main 
points of their definition here, and refer the reader to 0 for more details. 

Principals, Passwords, and Initialization. We have a fixed set of protocol 
participants (principals) each of which is either a client C G Client or a server S G 
Server (Client and Server are disjoint). We let User Client U Server. Each C G 
Client has a password pwq. Each S G Server has a vector PWs = (pwc)cGCiient 
which contains the passwords of each of the clients (we assume that all clients 
share passwords with all servers). Recall that pwQ is what client C remembers 
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to log in; therefore, it is assumed to be chosen from a relatively small space of 
possible passwords. 

Before the protocol is run, an initialization phase occurs during which public 
parameters are set and passwords are chosen for each client. We assume that 
passwords for each client are chosen independently and uniformlj0 at random 
from the set {!,..., A^}, where N is a constant, independent of the security 
parameter. 

Execution of the Protocol. In the real world, protocol P determines how 
principals behave in response to signals (input) from their environment. Each 
principal is able to execute the protocol multiple times with different partners; 
this is modeled by allowing each principal an unlimited number of instances in 
which to execute the protocol (see 0). We denote instance i of user U as 7T^. 
A given instance is used only once. The adversary is assumed to have complete 
control over all communication in the network. Thus, the adversary’s interaction 
with the principals is modeled via access to oracles whose inputs may range over 
U G User and * S IM; this allows the adversary to “interact with” different 
instances. Global state is maintained throughout the entire execution for each 
instance with which the adversary interacts (this global state is not directly 
visible to the adversary); the global state for an instance may be updated by 
an oracle during an oracle call, and the oracle’s output may depend upon this 
state. The oracle types, as defined in |^, are: 

— Send(C/, i, M) — This sends message M to instance 7T^. The oracle runs this 
instance as in a real execution, maintaining state as appropriate. The output 
of TTy is given to the adversary in addition to other information; see 0. 

— Execute(C, i, S,j) — This oracle executes the protocol between instances 
and Ug, where C G Client and S G Server, and outputs a transcript of this 
execution. This transcript includes everything an adversary would see when 
eavesdropping on a real-world execution of the protocol, as well as other 
information; see P|. 

— Reveal(C/, i) — This outputs the session key sk[j (stored as part of the global 
state) of instance 77^. 

— Test(f/, i) — This query is allowed only once, at any time during the adver- 
sary’s execution. A random bit b is generated; if & = 1 the adversary is given 
sklf, and if 6 = 0 the adversary is given a random session key. 

Advantage of the Adversary. Event Succ occurs (adversary A succeeds) if 
she asks a single Test query, outputs a bit b', and b' — b (where b is the bit chosen 
by the Test oracle). The advantage of A in attacking protocol P, is defined as as 

2Pr[Succ] — 1. If the adversary were unrestricted, success would be 
trivial (since the adversary could submit a Reveal query for the same instance 
submitted to the Test oracle). Clearly, some restrictions must be imposed. Before 
describing these, we formalize the idea of partnering. Intuitively, instances 77^ 

^ This is for ease of presentation only, as our analysis can be extended easily to handle 
arbitrary distributions, including users with inter-dependent passwords. 
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and TTy, are partnered if they have jointly run protocol P. Formally, we define 
a session-id (sid) for each instance, and say that two instances are partnered 
if they hold the same sid (which is not null). Here, we define the sid as the 
concatenation of all messages sent and received by an instance (i.e., a transcript 
of the execution) . The following restriction may now be imposed on an adversary 
whose Test query is {U, i)\ that a Reveal query may not be called on {U, i) or on 
{U' ,j), where U^, is partnered with 77^. Furthermore, instance IPjj must have 
completed execution, and therefore have a non- null session key defined. 

A poly-time adversary will be able to break any protocol by attempting to 
impersonate a user and trying all passwords one-by-one (the size of the password 
space is independent of the security parameter — indeed, this is what distin- 
guishes the problem from that of pifij ). So, we say that a given protocol is secure 
when this kind of attack is the best an adversary can do. More formally, let qsend 
be the number of calls the adversary makes to the Send oracle. A protocol is se- 
cure if, when passwords are chosen from a dictionary of size N, the adversary’s 
advantage in attacking the protocol is bounded by 

0{qsend/N) e{k), 

for some negligible function e(-). The first term represents the fact that the 
adversary can (essentially) do no better than guess a password during each call 
to the Send oracle0. In particular, even polynomially-many calls to the Execute 
oracle (i.e., passive observations of valid executions) and the Reveal oracle (i.e., 
compromise of short-term session keys) are of no help to an adversary; only on- 
line impersonation attacks (which are harder to mount and easier to detect) give 
the adversary a non-negligible advantage. 

Concrete security is particularly important in this setting since the adver- 
sary’s advantage is non-negligible (assuming Send queries are made). We quan- 
tify an adversary’s maximum advantage as a function of the adversary’s running 
time t and the number of queries made to the Send, Execute, and Reveal oracles 
(^send 5 ^execute ; and qreveal respectively). 



3 A Provably Secure Protocol for Password-AKE 

3.1 Building Blocks 

Our protocol and proof of security rely on a number of building blocks. First, our 
protocol uses the Cramer-Shoup cryptosystem m which is secure under adap- 
tive chosen-ciphertext attack. Actually, we require an extension of the Cramer- 
Shoup cryptosystem, which remains secure under adaptive chosen-ciphertext 
attack. Our extension defines two “types” of encryption: client-encryption and 

^ A tighter definition of security would require that the adversary’s advantage be 
bounded by qaend/rN e{k), where r is the minimnm number of messages an ad- 
versary needs to send in order to cause (completion of the protocol and) a non-null 
session key to be defined. An analysis of our proof proof indicates that the security 
of our construction is indeed tight in this respect. 
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server-encryption. Details appear in Appendix |B 1 We will also need a one-time 
signature scheme m secure against existential forgery m- Finally, our proof of 
security relies on the Decisional Diffie-Hellman (DDH) assumption (note 

that the security of the Cramer-Shoup cryptosystem requires the DDH assump- 
tion already) . We review these components in Appendix ^ and also explicitly 
quantify their (in)security which is necessary for an explicit analysis of the ad- 
versary’s maximum advantage in attacking the key exchange protocol. 

Chosen-ciphertext-secure encryption has been used previously in the context 
of secure key exchange I2I20I9I2H1 . However, as pointed out above, our protocol 
differs from these works in that it does not require the assumption of a public- 
key infrastructure, and no participant holds a secret key or publishes a public 
key. Indeed, “decryption” is never performed during execution of our protocol. 



3.2 The Protocol 

A high-level description of the protocol is given in Figure 1 . Let p,q be primes 
such that q\p— 1 , and let G he a subgroup of Z* of order q in which the DDH as- 
sumption holds. During the initialization phase, generators gi,g2,h,c,d € Q and 
a function 'H. from a family of universal one-way hash functions ^ 3 ] (which can be 
based on any one-way function | 2 tilj l are chosen at random and published. Note 
that this public information is not an added assumption^; “standard” Difhe- 
Hellman key exchange m typically assumes that parties use a fixed generator g 
(although this is not necessary), and EE 3 seem to require a public generator g 
for their proofs of security. However, we do require that no one know the discrete 
logarithms of any of the generators with respect to any other, and thus we need 
either a trusted party who generates the public information or else a source of 
randomness which can be used to publicly derive the information. 

As part of the initialization phase, passwords are chosen randomly for each 
client. We assume that all passwords lie in (or can be mapped to) Z^. For typical 
values of |(?|, this will be a valid assumption for human-memorable passwords. 

Execution of the protocol is as follows (see Figure 1 ): When client C wants 
to connect to server S, the client first runs the key generation algorithm for 
the one-time signature scheme, giving VK and SK. Then, the client computes 
a client-encryption (see Appendix inj of gi'"'^ ■ This, along with the client’s 
name, is sent to the server as the first message. The server chooses random 
elements X2,y2i Z2,W2 from Z^, computes a' using the first message, and forms 
9i^ 92^ {cd°‘ )“^. The server then computes a server-encryption (see Appendix 
IBt of 9i'^'^ ■ This is sent back to the client as the second message. The client 
selects random elements xi,y\, z\,w\ from Zg, computes /?' using the second 
message, and forms K = g^^ g^^ {cd^ )’"U Finally, /?' and K are signed us- 
ing the signing key which was generated in the first step. The sid is defined as 
the transcript of the entire conversation. A formal description of the protocol 
appears in Appendix Q 



® The protocols of \22VT\ . however, do not require any public information. 
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Pnblic information: p,q,g\,g 2 ,h,c,d,'H 
Client Server 



(VK,SK) e- SigGen(l'') 

n t Zq 

A^gl^-B = gl^ 

C = 

a = H{Client\yK\A\B\C) 

D = (cd“)’'i Client \yK\A\B\C\D 



Server | | F | G | 1 | J 

a;i,j/i,2i,wi Zq 
P' = H(Server\E\F\G\I) 

K = gl^gfh^^{ed^'r^ 

Sig = SignsK(/3' \K) K\ Sig 



i' = i!gr^ 

skc = 



X2,V2,Z2,W2,r2 < — Zq 
a' = H{Client\yK\A\B\C) 
E = grgfh^^cd‘^'r^ 

F = gl^-G = gl^ 

I = 

P = H{Server\E\F\G\I) 
j = [cd^y-^ 



if VerifyvK((/3 I -K'),Sig) = 1 
C" = G/(?f“^ 
sks = A^^ ByyC'Y^ 

else sks <— Q 



Fig. 1. The protocol for password- AKE. See text for details. 



The protocol description in Figure 1 omits many implementation details 
which are important for the proof of security to hold. Most important is for both 
client and server to perform a “validity check” on the messages they receive. In 
particular, each side should check that the values they receive are actually in 
the group G and are not the identity (in other words, it is required to check 
that the group elements indeed have order q) . Note that such validity checks are 
required even for chosen-ciphertext security of the underlying Cramer-Shoup 
cryptosystem. 

Correctness. In an honest execution of the protocol, C and S calculate iden- 
tical session keys. To see this, first note that a = a' and /3 = /3' in an honest 
execution. Then: 
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and 

and one can verify that these are equal. 

Mutual Authentication. We note that the protocol as presented above 
achieves key exchange only, and not mutual authentication. However, we can 
trivially add mutual authentication by adding a fourth message to the protocol. 
Details will appear in the final version. 

3.3 Practical Considerations 

In practice, a collision resistant hash function (say, SHA-1) can be used instead of 
a universal one-way hash function. This has the advantage of increased efficiency, 
at the expense of requiring a (possibly) stronger assumption for security. 

Efficient one-time signatures HS| can be based on (presumed) one-way func- 
tions like SHA-1 or DES. In particular, one-time signatures are much more ef- 
ficient than signature schemes which are secure against adaptive (polynomially- 
many) chosen message attacks. 

Client computation can be reduced (which is important when the client 
is smartcard-based) as follows: instead of using a one-time signature scheme 
where fresh keys need to be generated each time a connection is made, a signing 
key/ verification key can be generated once (upon initialization) and used for the 
lifetime of the client. Particularly suited for such applications are “on-the-fly” 
signature schemes such as This initialization step may be done by a 

host computer (with the keys then downloaded to the smartcard) or this step may 
be done off-line before the first connection is made. The proof of security given 
in Section 0 still holds. The disadvantage is that this signature scheme is now 
required to be secure against existential forgeries even when polynomially-many 
messages are signed (and not just a single message). In some cases, however, this 
tradeoff may be acceptable. 

Finally, note that we may store at the server instead of pw^ and thereby 
avoid computing the exponentiation each time the protocol is executed. 

4 Security of the Protocol 

We concentrate here on the basic security of the protocol, and leave the corre- 
sponding results about forward security to the full paper. The following theorem 
indicates that the protocol is secure, since all lower order terms are negligible in 
k (see Appendix 0 for definitions of the lower order terms). 

Theorem 1. Let P be the protocol of Figure 1, where passwords are chosen from 
a dictionary of size N , and let k = |g| be the security parameter. Let A be an 
adversary which runs in time t and asks ^execute , <?send , and ^reveal queries to the 
respective oracles. Then: 
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^ + 2qsend^sig(^) t) + 2eddh(^j t) + “^Qaend^csik , t, gsend/2) 

UliTl{2qYeveal: ^send} 277127^1 ^^I■evealJ ^execute} 

\ ' 9 ’ 

q 

It will be helpful to develop some intuition and notation before presentation 
of the full proof. First, note that the Execute oracle cannot help the adversary. 
The reason is that Diffie-Hellman key exchange HD forms the “heart” of this 
protocol, and this is secure under a passive attack. 

Next, consider active “impersonation attacks” by the adversary. The protocol 
has three flows. When an adversary tries to impersonate a client (in an attempt 
to determine the eventual session key of a server), the adversary must send the 
first and third messages; when the adversary wants to impersonate a server (in 
an attempt to determine the eventual session key of a client), the adversary must 
“prompt” the client to generate the first message and must then send the second 
message. Consider an adversary impersonating a client, and let the first message 
(which comes from the adversary) be (C'Z7e7it|VK|^|i?|C'|U). We say this message 
is valid if: 



loggi A = logg^ B = log^(C/5(”"^) = log^^„- D, (1) 

where a' = 'H{Client,\/K, A, B,C), and pwQ is the password for Client. We 
define valid analogously for the second message of an adversary impersonating 
a server (note that here the password which determines validity depends upon 
the name of the client to which the adversary sends the message). We do not 
define any notion of validity for the third message. The following fact is central 
to our proof: 

Fact 1 When an invalid message is sent to an instance, the session key com- 
puted by that instance is information-theoretically independent of all messages 
sent and received by that instance. This holds for both clients and servers. 

Proof. Consider the case of an adversary interacting with a server, with the first 

d©f d©f d©f ^ 

message as above. Let 9i = logg^g 2;02 = log^^ h; and 83 = logg^(cd“ ). Con- 
sider the random values X 2 ,y 2 , Z 2 ,W 2 (see Figure 1) used by the server instance 
during its execution. Element E of the second message constrains these values 
as follows: 



logg^E = X2-\-y2dl-\- Z292 -\-W 203 . ( 2 ) 

The session key is calculated as multiplied by sk'g = B"^^ {C / . 

But we have: 

loggi sk's = X 2 logg^ A -h y29i logg^ B + Z202 logYC/gY"^) + W29s log^^„' D.{3) 

When equation CD does not hold (i.e., the message is invalid), equations (0 and 
m are linearly independent and sk'g Gr G information-theoretically indepen- 
dent of the transcript of the execution. A similar argument holds for the case of 
an adversary interacting with a client. ■ 



Password- Authenticated Key Exchange Using Human-Memorable Passwords 485 



Let ily be an instance to which the adversary has sent an invalid message. 
Fact 1 implies that the adversary has advantage 0 in distinguishing the session 
key generated by this instance from a random session key. Thus, an adversary’s 
(non-zero) advantage can come about only by sending a valid message to an 
instance. 

We call a message sent by an adversary previously-used if the message was 
previously output by a client or server running the protocol (that is, the adver- 
sary has simply “copied” and re-used the message), and is new otherwise. The 
following lemma bounds the adversary’s probability of coming up with a new, 
valid first or second message: 

Lemma 1. An adversary’s probability of sending, at any point during the pro- 
tocol, a first or second message which is both new and valid is bounded by 
0{qsend/N) + £{k), for some negligible function e(-). 

This lemma essentially follows from the chosen-ciphertext security (and hence 
non-malleability) of extended Cramer-Shoup encryption (see |1 d] and Appendix 
inj. Detail appear in the full proof, below. The lemma reflects the fact that the 
adversary can (trivially) “guess” the appropriate passworcfl each time he sends 
a first or second message. 

The only remaining point to argue is that previously-used messages cannot 
significantly help the adversary. First note that if an adversary re-uses a first 
message, the adversary will (with high probability) not be able to compute a 
valid signature to include with the third message. If an adversary re-uses a 
second message, the full proof indicates that without knowing the randomness 
used to generate that message, the adversary will gain only negligible advantage. 

Proof (of Theorem 1). We refer to the formal specification of the protocol as it 
appears in Appendix O The number of clients and servers is polynomial in the 
security parameter, and this number is fixed in advanc^ and public. 

We imagine a simulator who controls all oracles to which the adversary has 
access. The simulator runs the protocol initialization as described in Appendix 
O Figure El including selecting passwords for each client^. The simulator answers 
the adversary’s oracle queries as defined in Appendix O Figures 0 and 0 The 
adversary succeeds if it can guess the bit b that the simulator uses during the 
Test query (see Section 0 for additional details). 

We define a sequence of transformations P\,. . . to the original protocol Pq, 
and bound the effect each transformation has on the adversary’s advantage. 

^ The lemma assumes that passwords are chosen uniformly at random from the pass- 
word space, but can be appropriately modified to handle arbitrary distributions. 

® As mentioned in Section ll .41 clients and servers can in fact be dynamically added to 
the protocol during execution at the request of the adversary (and even with pass- 
words chosen by the adversary, when forward security is considered) . For simplicity, 
we focus on the static case. 

® For simplicity we assume that users choose passwords independently and with uni- 
form distribution. The analysis can easily be modified to accommodate arbitrary 
distributions. 
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Then, we bound the adversary’s advantage in the final (transformed) protocol; 
this gives an explicit bound on the adversary’s advantage in the original protocol. 

Consider the verification keys output by the Sendo oracle during the course 
of the protocol. We may restrict ourselves to the case where the adversary is 
unable to forge a new message/signature pair for any of these keys during the 
course of the protocol. This can change the adversary’s success probability (as 
a simple hybrid argument shows) by at most qsendo£sig{k,t) < qsend£sig(k,t). 

In protocol Pi, calls to the Execute oracle are answered as before, except that 
C and / are chosen at random from Q. The following bounds the effect on the 
adversary’s advantage: 

Lemma 2. The adversary’s success probability in Pi differs by at most £ddh(fc) t) 
from its advantage in Pq. 

Proof. The simulator uses the adversary as a black box to distinguish Difhe- 
Hellman quadruples from random quadruples. Given quadruple {g,h,s,f) and 
group Q, it runs the initialization as follows: 

a,b,l <r- "Lq 

5 i = 5 ; 52 = c = sr^ d = 

H ^ UOWH 

Publish parameters {q,gi,g 2 ,h,c,d,'H) and group Q 

{PWc) C^Client 

By a random self-reducibility property EHP, the simulator can generate 
ST,tT (for T = 1,...) such that, if (g,h,s,t) is a Difhe-Hellman quadruple, so 
is {g,h, STffr)', on the other hand, if (g,h,s,t) is a random quadruple, then 
{g, h, STffr) is distributed among random quadruples with g and h fixed. The 
T-th call to Execute is answered as: 

Execute( Client, i, Server, j) — 

(VK,SK) SigGen(l'') xi,X2,yi,V2,zi,Z2,wi,W2 ^ Z, 

A = S2t; B = s^t; C = t2T- a = H{Client \ \JK\A\B\C) 

D = msg-out^ i — {Client \VK\A\B\C\D) 

E = F = s2t+i; G = sJt+i; I = t2T+i ■ g7^ 

P = H{Servei\E\F\G\l) 

J = S 2 T+I. msg-out^ i — (Server | S | F | G | 7 | J) 

K = g^ffg^ffh^ffcd^r^ msg-out, ^ (K \ S\gd^ffP\K)) 

(G • F"" G*'" (7 ■ 

sidg< — sid'^< — (msg-out^ \ msg-out.^ \ msg-out^) 
ret u rn ( msg- out.^ , msg- out^, msg-out^ ) 

If (g, h, s, t) is a Difhe-Hellman quadruple, this is an exact simulation of Pq, on 
the other hand, if it is a random quadruple, this is an exact simulation of Pi. ■ 

In protocol P 2 , calls to Execute are answered as before except that the session 
key is chosen randomly from Q. The adversary’s view (and thus its success proba- 
bility) is within statistical distance min{(7reveai, '/execute}/'?^ from the adversary’s 
view in protocol Pi. Indeed, Fact 1 shows that the session key is independent 
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of the transcript of the execution seen by the adversary whenever msg-outi or 
msg-out2 are not valid (for the appropriate password). But when C and I are 
chosen randomly, the probability that both msg-outi and msg-out2 are valid is 
exactly 1/g^. 

In protocol P3, the public parameters are generated by choosing gi and 32 
randomly from Q, then choosing xi, a;2, j/i, 2/2, and z randomly from and set- 
ting c = d = gf^g2^, and h = gf; H is chosen as before. Furthermore, 

the Senda oracle is changed as follows: the simulator first checks whether first- 
msg-in (which was the message sent to the Sendi oracle for the same instance) 
is previously-used (see above). If so, the current query to the Sends oracle is an- 
swered normally. Otherwise, let first-msg-in = {Client\'dK\A\B\C\D) . The simu- 
lator computes a = 'H{Client\\/K\A\B\C) and checks whether = 

D and A^ = C. If so, first-msg-in is said to appear valid, and the query is 
answered normally. If not, first-msg-in is said to appear non-valid, and the query 
is answered normally except that the session key is chosen randomly from Q. 

Calls to Se'nA2{Client,i,msg-in) are answered in similar fashion. If msg-in 
is previously-used, the query is answered normally. Otherwise, let msg-in = 
( 5 'err'er|if|F’|G|/| J). The simulator computes f 3 ='H{Server\E\F\G\I) and checks 
whether = J and g\'"^ = /. If so, msg-in is said to appear 

valid, and the query is answered normally. If not, msg-in is said to appear non- 
valid, and the query is answered normally but the session key for instance Bfi 
is chosen randomly from Q. 

The adversary’s view of this protocol is exactly equivalent to its view of 
protocol P2- When first-msg-in or msg-in appear non-valid, they are in fact 
not valid for password pw^, and Fact 1 shows that the resulting session key 
is independent of the adversary’s view. On the other hand, a message which 
appears valid may in fact be invalid, but since the query is answered normally 
the adversary’s view is not affected. 

In protocol P4, the definition of the adversary’s success is changed: 

— If, during the course of answering a Sends oracle query, first-msg-in is new 
and appears valid, the session key is set to the special value V. If the adver- 
sary ever asks a Reveal query for this instance, the simulator halts immedi- 
ately and the adversary succeeds. 

— If, during the course of answering a Send2 oracle query, msg-in is new and 
appears valid, the session key is set to the special value V. If the adversary 
ever asks a Reveal query for this instance, the simulator halts immediately 
and the adversary succeeds. 

— Otherwise, the adversary succeeds, as before, by guessing the bit b. 

This can only increase the advantage of the adversary. 

In protocol P5, calculation of the session key by the Send3 oracle is modified. 
First, every time K is computed by the simulator when answering a call to the 
Send2 oracle, the simulator stores K along with its associated values of x, y, z, w. 
When a call is made to the Sends oracle with msg-in = (KT|Sig), there are four 
possibilities: 
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— first-msg-in is new and appears valid. In this case the session key is set to 
V and the simulator behaves as in P4 (above). 

— first-msg-in is new and appears non-valid. In this case, the simulator chooses 
the session key randomly (as in P3,P4). 

— first-msg-in is previously-used and Verifyvi4((/?|-^), Sig) = 0. In this case, the 
simulator chooses the session key randomly (as in Pq, . . . , P4). 

— first-msg-in is previously-used and VerifyvK((/3|-fil), Sig) = 1. It must be the 

case that {K, Sig) was previously output by the Send2 oracle (since we as- 
sume the adversary has not forged any new message/signature pairs). The 
simulator therefore knows values x' , y' , z' , w' such that K = gf (cd^)™ . 

Let first-msg-out = (5'er?;er|P|P|G|/| J) and I* = I ■ The simulator 

calculates the session key as: 

sfcjj ^ A^By{c*yD^F^'Gy\ry'j^'. 

The adversary’s view is exactly equivalent to the adversary’s view in P4 (since 
iP" does equal {I*y J™ when first-msg-out is a valid message; it is valid 

since it was generated by the simulator who knows the appropriate password). 

In protocol Pe we change oracle Sendi so that component I is chosen at 
random from Q. This cannot change the adversary’s success probability by 
more than 9sendi£cs(fc, 9send2 + 9senda)- If it did, the simulator could break 
extended-CS encryption under a chosen ciphertext attack as follows: parame- 
ters for extended-CS encryption become the public parameters for the proto- 
col. During the course of the protocol, the simulator may determine whether 
a new message appears valid by submitting it to the decryption oracle and 
checking whether the returned plaintext is equal to the appropriate password. 
When calls to the Sendi oracle are made, the simulator submits the appropri- 
ate password as the plaintext along with the server name, the value a, and 
a request for a server-encryption (see Appendix EJ. In return, the simulator 
is given {Server\E\F\G\I\J) (which may be an encryption of either the appro- 
priate password or a random group element) along with x, y, z, w such that 
E = gf g^h^ {cdy'" . A simple hybrid argument bounds the change in the adver- 
sary’s success probability. 

In protocol Ft, the Send2 oracle is changed so that whenever msg-in was 
previously-used the session key is chosen at random from Q. To ensure consis- 
tency, the Send3(5'eruer, z, *) oracle is changed as follows: if si(fig matches szd^ for 
some other instance U^, then sFg is set equal to sk^. The statistical difference 
between the adversary’s view in this protocol and the previous one is bounded 
by minlgreveaij <?send2}/9- Indeed, Fact I shows that the views are equivalent 
when msg-in is invalid. Furthermore, the probability that msg-in is valid for the 
appropriate password is 1/q (since / was chosen at random). 

In protocol Pg, the Sendp oracle is changed so that component G is chosen 
randomly from Q . Following a similar analysis to that of protocol Pgj this cannot 
change the adversary’s success probability by more than gsendo£cs(fc, 9send2 + 
(Zsenda)- Finally, in protocol Pg the Send3 oracle is changed so that a random ses- 
sion key is chosen when first-msg-in is previously-used. Following a similar anal- 
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ysis to that of protocol Py, the statistical difference between the adversary’s view 
in this protocol and the previous protocol is bounded by minlgreveab fends }/<7- 
Consider the adversary’s advantage in protocol Pg. The adversary’s view 
is entirely independent of the passwords chosen by the simulator unless the 
adversary manages to submit a new msg-in which appears valid at some point 
during execution of the protocol; i.e., succeeds in guessing the password. The 
adversary’s probability of guessing the password, however, is precisely (( 7 send 2 + 
(Zsenda)/-^ (this assumes that passwords are selected uniformly; an analogous 
calculation can be done when this is not the case). The adversary’s advantage 
in protocol Pg is thus bounded by gsend/21V (note that the adversary must ask a 
<Zsendo query for a gsend 2 query to be meaningful, and similarly must ask a (/sendi 
query for a (jsends query to be meaningful). The adversary’s advantage in the 
original protocol is therefore bounded by the expression in Theorem 1. ■ 
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A Building Blocks 

Decisional Diffie-Hellman (DDH) Assumption (see |H|). For concreteness, 
we let 1/ be a subgroup of Z* of order q where p, q are prime, q\p — 1, and 
|g| = k, the security parameter. Let g be a generator of Q. The DDH assumption 
states that it is infeasible for an adversary to distinguish between the following 
distributions: 

{x,y,z-T- Zq : and {x,y,z,w^ Z, : 

More precisely, choose at random one of the above distributions and give ad- 
versary A an element chosen from this distribution. The adversary succeeds by 
guessing which distribution was chosen; the advantage is defined as usual. Let 
£ddh(fc, t) be the maximum advantage of any adversary which runs in time t. The 
DDH assumption is that for t = poly(fc), the advantage eddh{k,t) is negligible. 



Password- Authenticated Key Exchange Using Human-Memorable Passwords 491 



One-Time Digital Signatures (see ). Let SigGen(l'') be a probabilis- 

tic algorithm generating a public verification key/private signing key (VK,SK). 
Signing message M is denoted by Sig Sigri5K(M), and verification is de- 
noted by & = VerifypK(M, Sig) (the signature is correct if 6 = 1). Consider 
the following experiment: SigGen(l^) is run to generate (VK,SK). Message M 
is chosen, and the signature Sig t— S\gri^^{M) is computed. Adversary A is 
given (PK, M, Sig) and outputs a pair (M', Sig^) which is not equal to the mes- 
sage/signature pair it was given. The adversary’s advantage is defined as the 
probability that Verifyp«;(M', Sig') = 1. Let £sig(fc,<) be the maximum possible 
advantage of any adversary which runs in time t. The assumption is that for 
t = poly(fc), this value is negligible. Note that a signature scheme meeting this 
requirement can be constructed [II .ly/ltij given any one way functioifl 

Extended Cramer-Shoup Encryption (!ni). The Cramer-Shoup cryptosys- 
tem is an encryption scheme secure under adaptive chosen ciphertext attack (see 
m for formal definitions). We extend their cryptosystem, as discussed in Ap- 
pendix0 our extension remains secure under adaptive chosen ciphertext attack. 
The extension gives two “types” of encryption algorithms: a client-encryption 
algorithm and a server-encryption algorithm, both using the identical public 
parameters. 

Consider the following experiment: ExtGSGen(l^) is run to generate public 
key/private key pair {pk, sk). Adversary A is given pk and is also given access to a 
decryption oracle which, given ciphertext C, returns the corresponding plaintext 
P (or T if the ciphertext is invalid). The adversary outputs a plaintext x, and 
may request either a client-encryption or a server-encryption of a;. A random 
bit b is chosen; if 6 = 0 the adversary is given a random encryption (of the 
type requested) of x, while if 6 = 1 the adversary is given a random encryption 
(of the type requested) of a random element. The adversary may continue to 
submit queries to the decryption oracle, but cannot ask for decryption of the 
challenge ciphertext. The adversary succeeds by guessing b; the advantage is 
defined as usual. Let ecs{k,t,d) be the maximum possible advantage of any 
adversary which runs in time t and asks at most d decryption oracle queries. In 
m (see also Appendix 0) it is proved that for t,d = poly(A:), the advantage 
£cs(fc, t, d) is negligible (under the DDH assumption). A concrete security bound 
can be found in P]. 

B Extended Cramer-Shoup Encryption 

We consider here an extension of the Cramer-Shoup encryption scheme H3! 
which is chosen-ciphertext secure. No new techniques are used, and the proof of 
security for the modified scheme is exactly the same as for the original with the 
exception of a few details which one must be careful to get right. 

Public parameters are generators gi,g 2 ,h = gl,c = g^^g^^A = g\^ g^^ G Q 
along with a universal one-way hash function %. Ciphertexts are of the form: 

^ The DDH assumption implies that f{x) = is a. one-way function. 
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{A\B\C\D\E\F) . Decryption is done as in ^2]: first, a = 'H{A,B,C,D,E) is 
computed, and the following condition is checked: 

(jxi+yia jjX2+V2a A p 



If it fails output _L. Otherwise, output the plaintext EjC^ . 

The essential difference lies in the definition of the encryption oracle. The 
adversary submits a plaintext m but also submits additional information, and 
the encryption oracle returns some side information in addition to the ciphertext. 
More precisely, the adversary includes a bit b € {0, 1}, which determines whether 
the plaintext is encrypted via client- encryption or server-encryption. For the 
case of client-encryption, the adversary also includes Client S Client. For the 
case of server-encryption, the adversary includes Server G Server and a value 
a G Zq. The encryption oracle sets m! = m with probability 1/2 and chooses m' 
randomly from Q otherwise. Encryption is then carried out as follows: 



Client-encryption(m', Client) 
(VK,SK) ^ SigGen(l'=) 

A = Client] B — VK 
r •<— Zq 

C = qA, D = gC, E = h^m' 
a = H{A,B,C,D,E) 

F = {cd°‘)^ 

return((A, B, C, D, E, F),SK) 



Server-encryption(77i', Server, a) 
x,y,z,w,r G- Zq 
A = Server] B — gfg\h^{cd°‘)'^ 

C = g\]D^gC,E = h^m' 

I3 = H{A,B,C,D,E) 

F = {cd^)-^ 

return((A, B, C, D, E, F),x, y, z, w) 



Theorem 2. The encryption scheme outlined above is secure (in the sense of 
indistinguishability) under an adaptive chosen ciphertext attack. 

Sketch of Proof (Informal) The proof of security exactly follows 9,nd 
it can be easily verified that the additional information given to the adversary 
does not improve her advantage. One point requiring careful consideration is 
the adversary’s probability of finding a collision in TL. If T-L is collision resistant 
(a stronger assumption than being universal one-way), there is nothing left to 
prove. If TL is universal one-way, however, it can first be noted that VK or B 
could be selected by a simulator before TL is given to it (if the simulator prepares 
the public key such that it knows logg,^ g 2 it can produce a representation of B 
for any value a given to it by the adversary). But, we must also deal with the 
fact that the adversary gets to choose A (and the bit b which determines whether 
client-encryption or server-encryption is used) after seeing TL. However, since the 
set User is fixed in advance, and (at worst) of size polynomial in the security 
parameter, the simulator can “guess” the adversary’s choices in advance (before 
being given TL) and this will only affect the simulator’s probability of finding a 
collision by a polynomial factor (details omitted). ■ 
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C Formal Specification of the Protocol 



Initialize(l^) — 

Select p, q prime with \p\ = k and q\p — 1; this defines group Q 
Choose random generators g\,g2,h,c,d <r- Q 

H ^ UOWHF 

Publish parameters {q,p, gi, g2,h, c,d, H) 

(PWq) CeCWent t— 



Fig. 2. Specification of protocol initialization. 



Execute{Client,i, Server, j) — 

(VK.SK) SigGen(l'') xi,X2,yi,y2, zi, Z2,wi,W2,ri,r2 ^ Zg 
A = B = gl^-, C = h^^g{^^ a = H{Client\yK\A\B\C) 

D = {cd^^y^ msg-ouy i — {Client \VK\A\B\C\D) 

E = gyg^yh^ycd‘^r^ F = gy- G = gy-, I ^ h^-gr^ 

P = H{Server\ F|F|G|J) 

J = {cd^y^ msg-out2 < — {Server | F | F | G | / | J) 

K = g^g^h^Hcdf^r^ msg-ouy ^ {K \ SignsK(/3|F)) 
sFs^sUc^ (G • (/ • )"= J”" 

sidy — sid{ji — (msg-out-^ \ msg-out^ \ msg-out^) 
ret u rn ( msg- out-^, msg- out^, msg- outy 

Reveal( User, i) — 
return sk\j 

Test( User, i) — 

{Q,l},sk^g 

if 6 = 0 return sk else return sk}j 



Fig. 3. Specification of the Execute, Reveal, and Test oracles to which the adversary has 
access. Note that q, gi,g2, h, c, d, H are public, and Q is the nnderlying group. Subscript 
S refers to the server, and C to the client. 
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Sendo (OZient, i. Server) — 

(VK,SK) ^ SigGen(l'') r ^ Z, 

A = gl-, B = gl- C = gl'"^ a = n{Client\yK\A\B\C) 

msg-out i — {Client \ VK | A | B | C | (cd“)’’) 
statec < — (SK, r, msg-out) 
return msg-out 

Sendi(S'erner, i, {Client, VK, A, B, C, D)) — 

x,y,z,w,r^Z^ a ^ H{Client\\/K\A\B\C) E ^ glg^h^ {c(T)'^ 

F = gl-, G = gl-, I = IF gl'"^ P = H{Server \ B|B|G|/) 
msg-out i — {Server | B | B | G | / | {cd^Y) 
state%f — {msg-in, x, y, z, w, r, P, msg-out) 
return msg-out 

Ser\d 2 {Client, i, {Server, E, F, G, I, J)) — 

{SK, r, first-msg-out) i — statep P = 'H{Server\E\F\G\I) 

x,y,z,w^Z, K = gfglhYcd^)^ 

msg-out < — {K \ Sign 5 |^(/J|B)) sidp< — (first-msg-out \ msg-in \ msg-out) 

r E^F^G^{iyr 

return msg-out 

Sends (Berner, i, (B, Sig)) — 

{first-msg-in, x, y, z, w, r, P, first-msg-out) < — statep 

(VK, A, B, G, D) i — first-msg-in 

sid'g-i — (first-msg-in \ first-msg-out \ msg-in) 

if VerifyvK((/3|dG),Sig) = 1 

G* = G • sBs^ A^B^iGyD'^K^ 

else 

skpfiE Q 

return e 



Fig. 4. Specification of the Send oracles to which the adversary has access. Note that 
q, gi, g 2 ,h,c, d,'H are public, and Q is the underlying group. Subscript S refers to the 
server, and C to the client. The third argument to the Send oracles is denoted msg-in. 
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Abstract. We provide identification protocols that are secure even when 
the adversary can reset the internal state and/or randomization source 
of the user identifying itself, and when executed in an asynchronous 
environment like the Internet that gives the adversary concurrent access 
to instances of the user. These protocols are suitable for use by devices 
(like smartcards) which when under adversary control may not be able 
to reliably maintain their internal state between invocations. 



1 Introduction 

An identification protocol enables one entity to identify itself to another as the 
legitimate owner of some key. This problem has been considered in a variety of 
settings. Here we are interested in an asymmetric setting. The entity identify- 
ing itself is typically called the prover, while the entity to which the prover is 
identifying itself is called the verifier. The prover holds a secret key sk whose 
corresponding public key pk is assumed to be held by the verifier. 

The adversary’s goal is to impersonate the prover, meaning to get the verifier 
to accept it as the owner of the public key pk. Towards this goal, it is allowed 
various types of attacks on the prover. In the model of smartcard based identifi- 
cation considered by nn, the adversary may play the role of verifier and interact 
with the prover, trying to learn something about sk, before making its imper- 
sonation attempt. In the model of “Internet” based identification considered by 
[bll 15 j . the adversary is allowed to interact concurrently with many different 
prover “instances” as well as with the verifier. Formal notions of security cor- 
responding to these settings have been provided in the works in question, and 
there are many protocol solutions for them in the literature. 

In this work we consider a novel attack capability for the adversary. We allow 
it, while interacting with the prover, to reset the prover’s internal state. That 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 435- 1^01 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 
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is, it can “backup” the prover, maintaining the prover’s coins, and continue its 
interaction with the prover. In order to allow the adversary to get the maximum 
possible benefit from this new capability, we also allow it to have concurrent 
access to different prover instances. Thus, it can interact with different prover 
instances and reset each of them at will towards its goal of impersonating the 
prover. The question of the security of identification protocols under reset attacks 
was raised by Canetti, Goldreich, Goldwasser and Micali [^, who considered the 
same issue in the context of zero-knowledge proofs. 



1.1 The Power of Reset Attacks 

An example. Let us illustrate the power of reset attacks with an example. A 
popular paradigm for smartcard based identification is to use a proof of knowl- 
edge m- The prover’s public key is an instance of a hard NP language L, and 
the secret key is a witness to the membership of the public key in L. The proto- 
col enables the prover to prove that it “knows” sk. A protocol that is a proof of 
knowledge for a hard problem, and also has an appropriate zero-knowledge type 
property such as being witness hiding m is a secure identification protocol in 
the smartcard model HH- 

A simple instance is the zero-knowledge proof of quadratic residuosity of HS|. 
The prover’s public key consists of a composite integer N and a quadratic residue 
u G The corresponding secret key is a square root s G of u. The prover 
proves that it “knows” a square root of u, as follows. It begins the protocol by 
picking a random r € Z^ and sending y = r'^ mod N to the verifier. The latter 
responds with a random challenge bit c. The prover replies with a = rs'^ mod N, 
meaning it returns r if c = 0 and rs mod N if c = 1. The verifier checks that 

= yu‘^ mod N . (This atomic protocol has an error probability of 1/2, which 
can be lowered by sequential repetition. The Fiat-Shamir protocol m can be 
viewed as a parallelized variant of this protocol.) 

Now suppose the adversary is able to mount reset attacks on the prover. It 
can run the prover to get y, feed it challenge 0, and get back a = r. Now, it 
backs the prover up to the step just after it returned y, and feeds it challenge 
1 to get answer a' = rs. From a and a' it is easily able to extract the prover’s 
secret key s. Thus, this protocol is not secure under reset attacks. 

Generalizing from the example, we see that in fact, all proof of knowledge 
based identification protocols can broken in the same way. Indeed, in a proof of 
knowledge, the prover is defined to “know a secret” exactly when this secret can 
be extracted by a polynomial time algorithm (the “extractor” ) which has oracle 
access to the prover and is allowed to reset the latter M. An attacker allowed 
a reset attack can simply run the extractor, with the same result, namely it gets 
the secret. So the bulk of efficient smartcard based identification protocols in 
the literature are insecure under reset attacks. 

Mounting reset attacks. Resetting or restoring the computational state of a 
device is particularly simple in the case the device consists of a smartcard which 
the enemy can capture and experiment with. If the card is manufactured with 
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secure hardware, the enemy may not be able to read its secret content, but it 
could disconnect its battery so as to restore the card’s secret internal content 
to some initial state, and then re-insert the battery and use it with that state a 
number of times. If the smart card implements a proof of knowledge prover for 
ID purposes, then such an active enemy may impersonate the prover later on. 

Other scenarios in which such an attack can be realized is if an enemy is 
able to force a crash on the device executing the prover algorithm, in order to 
force it to resume computation after the crash in an older “computational state”, 
thereby forcing it to essentially reset itself. 

Can we use resettable zero-knowledge? Zero-knowledge proofs of mem- 
bership secure under reset attack do exist |H|, but for reasons similar to those 
illustrated above, are not proofs of knowledge. Accordingly, they cannot be used 
for identification under a proof of knowledge paradigm. One of the solution 
paradigms we illustrate later however will show how proofs of membership, rather 
than proofs of knowledge, can be used for identification. 



1.2 Notions of Security 

Towards the goal of proving identification protocols secure against reset attacks, 
we first discuss the notions of security we define and use. 

We distinguish between two types of resettable attacks CRl (Concurrent- 
Reset-1) and CR2 (Concurrent-Reset-2). In a CRl attack, Vicky (the adversary) 
may interact concurrently, in the role of verifier, with many instances of the 
prover Alice, resetting Alice to initial conditions and interleaving executions, 
hoping to learn enough to be able to impersonate Alice in a future time. Later, 
Vicky will try to impersonate Alice, trying to identify herself as Alice to Bob 
(the verifier). 

In a CR2 attack, Vicky, while trying to impersonate Alice (i.e attempting to 
identify herself as Alice to Bob the verifier), may interact concurrently, in the 
role of verifier, with many instances of the prover Alice, resetting Alice to initial 
conditions and interleaving executions. Clearly, a CRl attack is a special case of 
a CR2 attack. 

A definition of what it means for Vicky to win in the CRl setting is straight- 
forward: Vicky wins if she can make the verifier Bob accept. In the CR2 setting 
Vicky can make the verifier accept by simply being the woman-in-the-middle, 
passing messages back and forth between Bob and Alice. The definitional issues 
are now much more complex because the woman-in-the-middle “attack” is not 
really an attack and the definition must take this into account. We address these 
issues based on definitional ideas from PEI, specifically by assigning session-ids 
to each completed execution of an ID protocol, which the prover must generate 
and the verifier accept at the completion of the execution. For reasons of brevity 
we do not discuss the CR2 setting much in this abstract, and refer the reader to 
the full version of this paper P) . 

We clarify that the novel feature of our work is the consideration of reset 
attacks for identification. However our settings are defined in such a way that 
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the traditional concurrent attacks as considered by jfill and others are incor- 
porated, so that security against these attacks is achieved by our protocols. 

1.3 Four Paradigms for Identification Secure Aagainst Reset Attack 

As we explained above, the standard proof of knowledge based paradigm fails 
to provide identification in the resettable setting. In that light, it may not be 
clear how to even prove the existence of a solution to the problem. Perhaps 
surprisingly however, not only can the existence of solutions be proven under 
the minimal assumption of a one-way function, but even simple and efficient 
solutions can be designed. 

This is done in part by returning to some earlier paradigms. Zero-knowledge 
proofs of knowledge and identification are so strongly linked in contemporary 
cryptography that it is sometimes forgotten that these in fact replaced earlier 
identification techniques largely due to the efficiency gains they brought. In 
considering a new adversarial setting it is thus natural to first return to older 
paradigms and see whether they can be “lifted” to the resettable setting. We 
propose in particular signature and encryption based solutions for resettable 
identification and prove them secure in both the CRl and the CR2 settings. We 
then present a general method for transforming identification protocols secure 
in a concurrent but non-reset setting to ones secure in a reset setting. Finally 
we return to the zero-knowledge ideas and provide a new paradigm based on 
zero-knowledge proofs of membership as opposed to proofs of knowledge. 

Signature based identification. The basic idea of the signature based para- 
digm is for Alice convinces Bob that she is Alice, by being “able to” sign random 
documents of Bob’s choice. This is known (folklore) to yield a secure identifica- 
tion scheme in the serial non-reset setting of na as long as the signature scheme 
is secure in the sense of m- It is also known to be secure in the concurrent 
non-reset setting p. But it fails in general to be secure in the resettable setting 
because an adversary can obtain signatures of different messages under the same 
prover coins. What we show is that the paradigm yields secure solutions in the 
resettable setting if certain special kinds of signature schemes are used. (The 
signing algorithm should be deterministic and stateless.) In the CRl setting the 
basic protocol using such signature schemes suffices. The CR2 setting is more 
complex and we need to modify the protocol to include “challenges” sent by the 
prover. Since signature schemes with the desired properties exist (and even effi- 
cient ones exist) we obtain resettable identification schemes proven secure under 
minimal assumptions for both the CRl and the CR2 settings, and also obtain 
some efficient specific protocols. 

Encryption based identification. In the encryption based paradigm, Alice 
convinces Bob she is Alice, by being “able to” decrypt ciphertexts which Bob 
created. While the basic idea goes back to symmetric authentication techniques 
of the seventies, modern treatments of this paradigm appeared more recently in 
mzsi but did not consider reset attacks. We show that under an appropriate 
condition on the encryption scheme — namely that it be secure against chosen- 
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ciphertext attacks — a resettable identification protocol can be obtained. As 
before the simple solution for the CRl setting needs to be modified before it will 
work in the CR2 setting. 

Transforming standard protocols. Although Fiat-Shamir like identifica- 
tion protocols are not secure in the context of reset attacks, with our third 
paradigm we show how to turn practical identification schemes into secure ones 
in the CRl and CR2 settings. The solution relies on the techniques introduced in 
0 and utilizes pseudorandom functions and trapdoor commitments. It applies 
to most of the popular identification schemes, like Fiat-Shamir m, Okamoto- 
Schnorr { 23 EI or Okamoto-Guillou-Quisquater HZCH). 

ZK PROOF OF MEMBERSHIP BASED IDENTIFICATION. In the zero-knowledge 
proofs of membership paradigm, Alice convinces Bob she is Alice, by being “able 
to” prove membership in a hard language L, rather than by proving she has a 
witness for language L. She does so by employing a resettable zero-knowledge 
proof of language membership for L as defined in |H| . Both Alice and Bob 
will need to have a public-key to enable the protocol. Alice’s public-key defines 
who she is, and Bob’s public-key enables him to verify her identity in a secure 
way. We adopt the general protocol for membership in NP languages of |S| for 
the purpose of identification. The identification protocols are constant round. 
What makes this work is the fact that the protocol for language membership 
{x G L) being zero-knowledge implies “learning nothing” about cc in a very 
strong sense — a verifier cannot subsequently convince anyone else that x G L 
with non-negligible probability. We note that while we can make this approach 
work using resettable zero-knowledge proofs, it does not seem to work using 
resettable witness indistinguishable proofs for ID protocols. 

Perspective. Various parts of the literature have motivated the study of zero- 
knowledge protocols secure against strong attacks such as concurrent or reset in 
part by the perceived need for such tools for the purpose of applications such as 
identification in similar attack settings. While the tools might be sufficient for 
identification, they are not necessary. Our results demonstrate that identification 
is much easier than zero-knowledge and the latter is usually an overkill for the 
former. 

2 Definitions 

If A(-, •,...) is a randomized algorithm then y G- A{x\,X2, . . . ; i?) means y is 
assigned the unique output of the algorithm on inputs Xi,X2,--- and coins i?, 
while y G- A{x\, X2, ■ ■ ■) is shorthand for first picking R at random (from the set 
of all strings of some appropriate length) and then setting y G- A{xi,X2, . . .;R). 
If xi,X2, ■ ■ ■ are strings then a;i||a;2|| • • ■ denotes an encoding under which the 
constituent strings are uniquely recoverable. It is assumed any string x can be 
uniquely parsed as an encoding of some sequence of strings. The empty string is 
denoted e. 
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Prover Verifier 

pk,sk ; Coins: Rp pk ; Coins: Rv 

MSGi 

MSG2 



Output: decision G {accept, reject} 

Output: sidp 



{pk, sk) <— I'D {key gen, k) — Randomized process to generate a public key pk and 
matching secret key sk 

MSG 2 J +1 •<— iIiP(prvmsg,sk, MSGill ■ • ■MSG 2 j;-Rp) — (1 < 2j + 1 < m{k)) Next 
prover message as a function of secret key, conversation prefix and coins Rp 

MSG 2 j iIiP(vfmsg, pk, MSGi II ||msG 2 j-i; -R v) — (2 < 2j < m{k) — 1) Next 
verifier message as a function of public key, conversation prefix and coins Rv 

sidp •<— H>(prvsid, sk, MSGi|| • • • ||MSGm(fc); Rp) — Prover’s session id as a function 
of secret key, full conversation and coins 

sidv ||decision H>(vfend, pk, MSGi|| ••• ||msg,ti(A;); Rv) — Verifier session id and 
decision (accept or reject) as a function of public key, full conversation and coins 



Fig. 1. The prover sends the first and last messages in an m(fc)-move identification 
protocol at the end of which the verifier outputs a decision and each party option- 
ally outputs a session id. The protocol description function ID specifies all processes 
associated to the protocol. 



An identification protocol proceeds as depicted in Figure Q The prover has 
a secret key sk whose matching public key pk is held by the verifier. (In practice 
the prover might provide its public key, and the certificate of this public key, as 
part of the protocol, but this is better slipped under the rug in the model.) Each 
party computes its next message as a function of its keys, coins and the current 
conversation prefix. The number of moves m{k) is odd so that the first and last 
moves belong to the prover. (An identification protocol is initiated by the prover 
who at the very least must provide a request to be identified.) At the end of the 
protocol the verifier outputs a decision to either accept or reject. Each party may 
also output a session id. (Sessions ids are relevant in the CR2 setting but can 
be ignored for the CRl setting.) A particular protocol is described by a (single) 
protocol description function ID which specifies how all associated processes — 
key generation, message computation, session id or decision computation — are 
implemented. (We say that ID is for the CRl setting if sidp = sidy = e, meaning 
no session ids are generated.) The second part of Figured shows how it works: 
the first argument to ID is a keyword — one of keygen, prvmsg, vfmsg, prvsid. 
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vfend — which invokes the subroutine responsible for that function on the other 
arguments. 

Naturally, a correct execution of the protocol (meaning one in the absence of 
an adversary) should lead the verifier to accept. To formalize this “completeness” 
requirement we consider an adversary-free execution of the protocol XT> which 
proceeds as described in the following experiment: 

(pk, sk) <r- H>(keygen, k) ; Choose tapes Rp, Rv at random 
MSGi m(prvmsg, sk, e; Rp) 

For j = 1 to [m(A:)/2j do 

MSG2j m(vfmsg,pi, MSGill ■ • ■ ||msG2j-i; Rv) 

MSG2J+1 ■<— Hl(prvmsg, sk, MSGi|| • • • ||msG2j; Rp) 

EndF or 

sidp •«— H>(prvsid, sk, MSGi || • • • ||MSG„(fc); Rp) 

sidv ||decision H>(vfend, pk, MSGi ■ ||MSG^(fc) ; Rv) 

The completeness condition is that, in the above experiment, the probability that 
sidp = sidv and decision = accept is 1 . (The probability is over the coin tosses of 
IT>(keygen, k) and the random choices of Rp,Ry-) As always, the requirement 
can be relaxed to only ask for a probability close to one. 

Fix an identification protocol description function XT> and an adversary I. 
Associated to them is Experimentj2,“j^(fc), depicted in FigureQ, which is used 
to define the security of XV in the CRl setting. (In this context it is understood 
that XV is for the CRl setting, meaning does not produce session ids.) The 
experiment gives the adversary appropriate access to prover instance oracles 
Prover^, Prover^, . . . and a single verifier oracle, let it query these subject to 
certain restrictions imposed by the experiment, and then determine whether 
it “wins”. The interface to the prover instance oracles and the verifier oracle 
(which, in the experiment, are implicit, never appearing by name) is via oracle 
queries; the experiment enumerates the types of queries and shows how answers 
are provided to them. 

The experiment begins with some initializations which include choosing of the 
keys. Then the adversary is invoked on input the public key. A WakeNewProver 
query activates a new prover instance Prover^ by picking a random tape Rp 
for it. (A random tape for a prover instance is chosen exactly once and all 
messages of this prover instance are then computed with respect to this tape. 
The tape of a specific prover instance cannot be changed, or “reset” , once cho- 
sen.) A Send(prvmsg, j, a;) query — viewed as sent to prover instance Prover* — 
results in the adversary being returned the next prover message computed as 
IT>(prvmsg, sk, x', Ri). (It is assumed that x = MSGi|| • • • ||MSG2j is a valid con- 
versation prefix, meaning contains an even number of messages 2 j < m(k), else 
the query is not valid.) Resetting is captured by allowing arbitrary (valid) conver- 
sation prefixes to be queried. (For example the adversary might try MSGi||msG 2 
for many different values of MSG2, corresponding to successively resetting the 
prover instance to the point where it receives the second protocol move.) Con- 
currency is captured by the fact that any activated prover instances can be 
queried. 
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Experiment (fc) — Execution of protocol XD with adversary / and security 
parameter k in the CRl setting 

Initialization : 

(1) {pk,sk) H>(keygen, fc) /j Pick keys via randomized key generation algo- 
rithm u 

(2) Choose tape Rv for verifier at random ; Cy -^0 jj Coins and message 
connter for verifier jj 

(3) p 0 H Number of active prover instances H 

Execute adversary / on input pk and reply to its oracle queries as follows: 

• When I makes query WakeNewProver jj Activate a new prover instance jj 

(1) p-^p-l-1; Pick a tape at random ; Return p 

• When I makes query Send(prvmsg, i, MSGi || • • • ||msG 2 j ) with 0 < 2j < m{k) 
and 1 < i < p 

(1) If Cv 7 ^ 0 then Return _L jj Interaction with prover instance allowed 
only before interaction with veriher begins jj 

( 2 ) MSG2J+1 -s- 2 :i>(prvmsg,si,MSGi|| ••• ||MSG2j;-Ri) 

(3) Return MSG 2 j+i 

• When / makes query Send(vfmsg, MSGi|| • • • ||msG 2 j-i) with 1 < 2j — l < m{k) 

(1) Cv ^ Cv+2 

(2) If 2j < Cv then Return _L jj Not allowed to reset the verifier jj 

(3) If 2j — 1 < m(fc) — 1 then msG 2 j <— 

H>(vfmsg,pk, MSGill • • • ||msG 2 j-i; -R v) ; Return msG 2 j 

(4) If 2j — l = m(fc) then decision H>(vfend, pk, MSGi || ••• ||MSG 2 j; Rv) 

(5) Return decision 

Did I win ? When / has terminated set WiN/ = true if decision = accept. 



Fig. 2. Experiment describing execution of identihcation protocol XT> with adversary 
7 and security parameter k in the CRl setting. 



A Send(vfmsg, x) query is used to invoke the verifier on a conversation prefix 
X and results in the adversary being returned either the next verifier message 
computed as XT>(vf msg, pk, x; Ry) — this when the verifier still has a move to 
make — or the decision computed as IT>(yfend, pk, x; Ry) — this when x corre- 
sponds to a full conversation. (Here Ry was chosen at random in the experiment 
initialization step. It is assumed that x = MSGi|| • • • ||msG 2 j-i is a valid conver- 
sation prefix, meaning contains an odd number of messages 1 < 2j — 1 < m(k), 
else the query is not valid.) Unlike a prover instance, resetting the (single) ver- 
ifier instance is not allowed. (Our signature and encryption based protocols are 
actually secure even if verifier resets are allowed, but since the practical need to 
consider this attack is not apparent, the definition excludes it.) This is enforced 
explicitly in the experiments via the verifier message counter Cy. 
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In the CRl setting, the adversary’s actions are divided into two phases. In the 
first phase it interacts with the prover instances, not being allowed to interact 
with the verifier; in the second phase it is denied access to the prover instances 
and tries to convince the verifier to accept. Experimentj25‘’j^(fc) enforces this 
by returning _L in reply to a Send(prvmsg, f, cc) unless Cy = 0 . 

The adversary wins if it makes the verifier instance accept. The parameter 
WiN/ is set accordingly in Experimentj25^j^(^)- The definition of the protocol 
is responsible for ensuring that both parties reject a received conversation prefix 
if it is inconsistent with their coins. It is also assumed that the adversary never 
repeats an oracle query. We can now provide definitions of security for protocol 
TV. 

Definition 1. [Security of an ID protocol in the CRl setting] Let TV be 

an identifieation protoeol description for the CRl setting. Let I he an adversary 
(called an impersonator in this context) and let k be the security parameter. The 
advantage of impersonator I is 

(k) = Pr [ WiN/ = true ] 

where the probability is with respect to Experiment^25“^(fc). Protocol TV is said 
to be polynomially-secure in the CRl setting if {■) is negligible for any 

impersonator I of time- complexity polynomial in k. | 

We adopt the convention that the time- complexity t{k) of an adversary / is 
the execution time of the entire experiment Experimentj25'’j^(fc), including the 
time taken for initialization, computation of replies to adversary oracle queries, 
and computation of WiN/. We also define the query- complexity q{k) of I as the 
number of Send(prvmsg, •, •) queries made by I in Experimentj2,“^(fc). It is 
always the case that q(k) < t(k) so an adversary of polynomial time-complexity 
has polynomial query-complexity. These definitions and conventions can be ig- 
nored if polynomial-security is the only concern, but simplify concrete security 
considerations to which we will pay some attention later. 

A definition of security for the CR 2 setting can be found in P]. 

3 CRl-Secure Identification Protocols 

Four paradigms are illustrated: signature based, encryption based, identification 
based, and zero-knowledge based. 

3.1 A Signature Based Protocol 

We assume knowledge of background in digital signatures as summarized in | 3 | . 

Signature based identification. A natural identification protocol is for the 
verifier to issue a random challenge CHy and the prover respond with a sig- 
nature of CHy computed under its secret key sk. (Prefix the protocol with an 
initial start move by the prover to request start of an identification process, and 
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Prover 




Verifier 


pk, sk ; Coins: Rp = e 


start 


pk ; Coins: Rv = CHy 


CHv 


SIG ■4— D5(sign, sk, CHy) 


SIG 




Output: decision = I>iS(vf, pk, CHy , SIG) 



Fig. 3. Reset-secure identification protocol XV for the CRl setting based on a deter- 
ministic, stateless digital signature scheme VS. 



you have a three move protocol.) This simple protocol can be proven secure in 
the serial, non-resettable (ie. standard smartcard) setting of as long as the 
signature scheme meets the notion of security of PS| . (This result seems to be 
folklore.) The same protocol has also been proven to provide authentication in 
the concurrent, non-resettable (ie. standard network) setting (The intuition 
in both cases is that the only thing an adversary can do with a prover oracle is 
feed it challenge strings and obtain their signatures, and if the scheme is secure 
against chosen-message attack this will not help the adversary forge a signature 
of a challenge issued by the verifier unless it guesses the latter, and the probabil- 
ity of the last event can be made small by using a long enough challenge.) This 
protocol is thus a natural candidate for identification in the resettable setting. 

However this protocol does not always provide security in the resettable 
setting. The intuition described above breaks down because resetting allows an 
adversary to obtain the signatures of different messages under the same set 
of coins. (It can activate a prover instance and then query it repeatedly with 
different challenges, thereby obtaining their signatures with respect to a fixed 
set of coin tosses.) As explained in 0, this is not covered by the usual notion 
of a chosen-message attack used to define security of signature schemes in ini. 
And indeed, for many signature schemes it is possible to forge the signature of 
a new message if one is able to obtain the signatures of several messages under 
one set of coins. Similarly, if the signing algorithm is stateful, resetting allows 
an adversary to make the prover release several signatures computed using one 
value of the state variable — effectively, the prover does not get a chance to 
update its state is it expects to — again leading to the possibility of forgery on 
a scheme secure in the standard sense. 

The solution is simple: restrict the signature scheme to be stateless and de- 
terministic. In P] we explain how signatures schemes can be imbued with these 
attributes so that stateless, deterministic signature schemes are available. 

Protocol and security. Let T>S be a deterministic, stateless signature 
scheme. Figure El illustrates the flows of the associated identification protocol 
TD. A parameter of the protocol is the length vcl{k) of the verifier’s random 
challenge. The prover is deterministic and has random tape e while the verifier’s 
random tape is CHy . Refer to Definition [Hand |3j for the meanings of terms used 
in the theorem below, and to E) for the proof. 
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Theorem 1. [Concrete security of the signature based ID scheme in 
the CRl setting] Let T>S be a deterministic, stateless signature scheme, let 
vcl{-) be a polynomially-bounded function, and let I'D be the associated identifi- 
cation scheme as per Figure\^ If I is an adversary of time- complexity t(-) and 
query- complexity q(-) attacking ID in the CRl setting then there exists a forger 
F attacking DS such that 

< Adv'^g p{k) + ■ ( 1 ) 

Furthermore F has time- complexity t(k) and makes at most q(k) signing queries 
in its chosen-message attack on DS. I 

This immediately implies the following: 

Corollary 1. [Polynomial-security of the signature based ID scheme 

in the CRl setting] Let DS be a deterministic, stateless signature scheme, let 
vcl(k) = k, and let ID be the associated identification scheme as per Figure 0 If 
DS is polynomially- secure then ID is polynomially-secure in the CRl setting. I 

We show in |3| that this implies: 

Corollary 2. [Existence of an ID scheme polynomially-secure in the 
CRl setting] Assume there exists a one-way function. Then there exists an 
identification scheme that is polynomially-secure in the CRl setting. 

3.2 An Encryption Based Protocol 

Encryption based identification. The idea is simple: the prover proves its 
identity by proving its ability to decrypt a ciphertext sent by the verifier. This 
basic idea goes back to early work in entity authentication where the encryption 
was usually symmetric (ie. private-key based). These early protocols however had 
no supporting definitions or analysis. The first “modern” treatment is that of 
who considered the paradigm with regard to providing deniable authentication 
and identified non-malleability under chosen-ciphertext attack — equivalently, 
indistinguishability under chosen-ciphertext attack m- as the security prop- 
erty required of the encryption scheme. Results of imDioi imply that the protocol 
is a secure identification scheme in the concurrent non-reset setting, but reset 
attacks have not been considered before. 

Protocol and security. Let AS be an asymmetric encryption scheme poly- 
nomially-secure against chosen-ciphertext attack. Figure 0 illustrates the flows 
of the associated identification protocol ID . A parameter of this protocol is the 
length vcl(k) of the verifier’s random challenge. The verifier sends the prover a 
ciphertext formed by encrypting a random challenge, and the prover identifies 
itself by correctly decrypting this to send the verifier back the challenge. The 
prover is deterministic, having random tape e. We make the coins Re used by 
the encryption algorithm explicit, so that the verifier’s random tape consists of 
the challenge — a random string of length vcl{k) where vcl is a parameter of the 
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Prover 




Verifier 


pk, sk 


; Coins: Rp = e 


start 


pk ; Coins: Ry = CHr/||Re 






CTXT 


CTXT A£{enc,pk, CHv; Re) 


PTXT 


AC(dec, sk, ctxt) 


PTXT 










If CHv = PTXT 

then decision T- accept 
else decision <— reject 

Output: decision 



Fig. 4. Reset-secure identification protocol XD for the CRl setting based on a chosen- 
ciphertext attack secure asymmetric encryption scheme AE. 



protocol — and coins sufficient for one invocation of the encryption algorithm. 
Refer to Definition Q] and 0 for the meanings of terms used in the theorem 
below, and to jSj for the proof. 

Theorem 2. [Concrete security of the encryption based ID scheme 

in the CRl setting] Let A£ be an asymmetric encryption scheme, let vcl{-) 
a polynomially-bounded function, and let I'D be the associated identification 
scheme as per Figure^ If I is an adversary of time- complexity t(-) and query- 
complexity q(-) attacking ID in the CRl setting then there exists an eavesdropper 
E attacking A£ such that 

Adv“(fc) < • (2) 

Furthermore E has time- complexity t{k), makes one query to its Ir-encryption 
oracle, and at most q{k) queries to its decryption oracle. | 

This immediately implies the following: 

Corollary 3. [Polynomial-security of the encryption based ID scheme 

in the CRl setting] Let AS be an asymmetric encryption scheme, let vcl{k) = 
k, and let ID be the associated identification scheme as per Figure ^ If AS is 
polynomially- secure against chosen-ciphertext attack then ID is polynomially- 
secure in the CRl setting. | 



3.3 An Identification Based Protocol 

Identification based protocol. As discussed in the introduction, proof of 
knowledge based identification protocols of the Fiat-Shamir type cannot be se- 
cure against reset attacks. In this section, however, we present a general trans- 
formation of such identification schemes into secure ones in the CRl setting. We 
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start with identification schemes that consists of three moves, an initial com- 
mitment COM of the prover, a random value CHy, the challenge, of the verifier 
and a conclusive response RESP from the prover. We call a protocol obeying this 
structure a canonical identification scheme. 

Loosely speaking, we will assume that the underlying canonical identical 
scheme CXV is secure against non-resetting attacks in the CRl model, i.e., against 
attacks where the adversary merely runs concurrent sessions with the prover 
without resets before engaging in a verification. In addition to the Fiat-Shamir 
system most of the well-known practical identification schemes also achieve 
this security level, for example Ong-Schnorr \mn\ for some system parameters, 
Okamoto-Guillou-Quisquater [1 711 Sj and Okamoto-Schnorr mmsi. Nonetheless, 
there are also protocols which are only known to be secure against sequential 
attacks (e.g. |23)- 

To avoid confusion with the derived scheme I'D, instead of writing 
Send(prvmsg, . . .) and Send(vfmsg, . . .), we denote the algorithms generating the 
commitment, challenge and response message for the CID-protocol CID by 
CID{cmt, . . .), CIP(chall, . . .), and CIP(resp, . . .), respectively, and the verifi- 
cation step by CXV{\j^, . . .). We also write (fc) for the probability 

that an impersonator /cid succeeds in an attack on scheme CXD in the non- 
resetting CRl setting. 

Protocol and security. Our solution originates from the work of |S| about 
resettable zero-knowledge. In order to ensure that the adversary does not gain 
any advantage from resetting the prover, we insert a new first round into the 
CID-identification protocol in which the verifier non-interactively commits to 
his challenge CHy. The parameters for this commitment scheme become part 
of the public key. This keeps the adversary from resetting the prover to the 
challenge-message and completing the protocol with different challenges. 

In addition, we let the prover determine the random values in his identifica- 
tion by applying a pseudorandom function to the verifier’s initial commitment. 
Now, if the adversary resets the prover (with the same random tape) to the 
outset of the protocol and commits to a different challenge then the prover uses 
virtually independent randomness for this execution, although having the same 
random tape. On the other hand, using pseudorandom values instead of truly 
random coins does not weaken the original identification protocol noticeably. 
Essentially, this prunes the CRl adversary into a non-resetting one concerning 
executions with the prover. 

In order to handle the intrusion try we use use a special, so-called trapdoor 
commitment scheme TDC for the verifier’s initial commitment. This means that 
there is a secret information such that knowledge of this secret allows to generate 
a dummy commitment and to find a valid opening to any value later on. Fur- 
thermore, the dummy commitment and the fake decommitment are identically 
distributed to an honestly given commitment and opening to the same value. 
Without knowing the secret a commitment is still solidly binding. Trapdoor 
commitment schemes exist under standard assumptions like the intractability of 
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Prover 


Verifier 


pk = (pkQjjj, P-kxDc)i ~ siciD 


pk 


Coins: Rp = k 


Coins: Rv = CHv||.Rc 




start 




TDCOM 




T2?C(cmt,pk.j,]-iQ, CHy; Rc 



TDCOM 



Rcid ■«- P7?.:^(eval,K, tdcom) 

COM •4— CIT>{crr\t, skcm’, Rem) 

COM 



CHv II i?c 

If T2?C(vf, pirpjjQ, TDCOM, CHy||i?c) = accept 
then RESP 4— dD(resp, sJeciD, COm||chv; -Rcid) 
else RESP 4— _L 

RESP 



decision 4— CiTD(vf,pi:(-;jj 3 , com||chv'||resp) 
Output: decision 



H>(keygen, k) = ^©(keygen, k) and T2?C(keygen, k) 



Fig. 5. Reset-secure identification protocol XT> for the CRl setting based on an iden- 
tification scheme CTT> secure against non-resetting CRl attacks 



the discrete-log or the RSA or factoring assumption 0 and thus under the same 
assumptions that the aforementioned CID-identification protocols rely on. 

Basically, a trapdoor commitment enables us to reduce an intrusion try of 
an impersonator I in the derived scheme I'D to one for the CID-protocol. If / 
initiates a session with the verifier in ID then we can first commit to a dummy 
value without having to communicate with the verifier in CID. When 

I then takes the next step by sending COM, we forward this commitment to 
our verifier in CID and learn the verifier’s challenge. Knowing the secret key 
skxDC for the trapdoor scheme we can then find a valid opening for our dummy 
commitment with respect to the challenge. Finally, we forward J’s response in 
our attack. 

The scheme is displayed in Figure 0 See 0 for definitions and notions. The 
discussion above indicates that any adversary I for ID does not have much 
more power than a non-resetting impersonator attacking CID and security of 
ID follows from the security of CID. 

Theorem 3. [Concrete security of the identification based scheme in 
the CRl setting] Let CID be an CID-identifieation protoeol and let vel{-) be a 
polynomially-bounded funetion. Also, letVTZT be a pseudorandom funetion fam- 
ily and denote by TDC a trapdoor eommitment scheme. Let ID be the associated 
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identification scheme as per Figure]^ If I is an adversary of time- complexity t{-) 
and query -complexity q{-) attacking XT> in the CRl setting then there exists an 
adversary /cid attacking CXT> in a non-resetting CRl attack such that 

Advj2,j^(A:) < q{k) ■ (fc) + AdvJ^^{k) + Advjf2:cVCTD(^) ■ 

Furthermore /cid has time- complexity t{k) and runs at most q{k) sessions with 
the prover before trying to intrude. 

As usual we have: 

Corollary 4. [Polynomial-security of the identification based scheme 

in the CRl setting] Let VTZJ- be a polynomially- secure pseudorandom function 
family and let TX>C be a polynomially-secure trapdoor commitment scheme, set 
vcl(k) = k, and let XT> be the associated identification scheme as per Figure^^ 
If CXT> is a polynomially-secure CID -identification protocol in the non-resetting 
CRl model thenXD is polynomially-secure in the CRl setting. | 

Note that the public key in our CRl-secure identification scheme consists of two 
independent parts, pkciD pk^DC- ^°r concrete schemes the key generation 
may be combined and simplified. For instance, for Okamoto-Schnorr the public 
key of the identification protocol describes a group of prime order q, two gener- 
ators 51,52 of that group and the public key X = gi^g^^ for secret cci,a::2 S Zq. 
The prover sends COM = g {^ g2 ^ and replies to the challenge CHy by transmitting 
Vi = fi-I CHyXi mod q for i = 1 , 2 . In this case, the public key for the trapdoor 
commitment scheme could be given by 51,53 = gl for random trapdoor z G Zg, 
and the commitment function maps a value c and randomness Rc to 5i5;f°. 



3.4 A Zero-Knowledge Based Protocol 

As we discussed in the Introduction the idea of CH of proving identity by em- 
ploying a zero knowledge proof of knowledge has been the accepted paradigm for 
identification protocols in the smartcard setting. Unfortunately, as we indicated, 
in the resettable setting this paradigm cannot work. 

Resettable Zero Knowledge Based Identity. We thus instead propose 
the following paradigm. Let L be a hard NP language for which there is no 
known efficient procedures for membership testing but for which there exists a 
randomized generating algorithm G which outputs pairs (x, w), where x G L and 
w is an NP-witness that x £ L. (The distribution according to which (x, w) is 
generated should be one for which it is hard to tell whether x G L or not). Each 
user Alice will run G to get a pair (x, w) and will then publish x as its public 
key. To prove her identity Alice will run a resettable zero-knowledge proof that 
x G L. 

Protocol. To implement the above idea we need resettable zero-knowledge 
proofs for L. For this we turn to the work of jSj. In [B| two resettable zero- 
knowledge proofs for any NP language are proposed: one which takes a non- 
constant number of rounds and works against a computationally unbounded 
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prover, and one which only takes a constant number of rounds and works against 
computationally bounded provers (i.e argument) and requires the verifiers to 
have published public- keys which the prover can access. We propose to utilize 
the latter, for efficiency sake. Thus, to implement the paradigm, we require both 
prover and verifier to have public-keys accessible by each other. Whereas the 
prover’s public key is x whose membership in L it will prove to the verifier, the 
verifier’s public key in |S] is used for specifying a perfectly private computation- 
ally binding commitment scheme which the prover must use during the protocol. 
(Such commitment schemes exist based for example on the strong hardness of 
Discrete Log Assumption.) 

Security. We briefly outline how to prove that the resulting ID protocol is 
secure in the CRl setting. Suppose not, and that after launching a CRl attack, 
an imposter can now falsely identify himself with a non-negligible probability. 
Then, we will construct a polynomial time algorithm A to decide membership in 
L. On input x, A first launches the off-line resetting attack using x as the public 
key and the simulator - which exists by the zero-knowledge property - to obtain 
views of the protocol execution. (This requires that the simulator be black-box, 
but this is true in the known protocols.) If a; S L, this view should be identical 
to the view obtained during the real execution, in which case a successful attack 
will result, which is essentially a way for A to find a language membership proof. 
If x not in L, then by the soundness property of a zero-knowledge proof, no 
matter what the simulator outputs, it will not be possible to prove membership 
in L. 
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Abstract. A popular paradigm for achieving privacy plus authenticity 
is to append some “redundancy” to the data before encrypting. We in- 
vestigate the security of this paradigm at both a general and a specific 
level. We consider various possible notions of privacy for the base en- 
cryption scheme, and for each such notion we provide a condition on 
the redundancy function that is necessary and sufficient to ensure au- 
thenticity of the encryption-with-redundancy scheme. We then consider 
the case where the base encryption scheme is a variant of CBC called 
NCBC, and find sufficient conditions on the redundancy functions for 
NCBC encryption-with-redundancy to provide authenticity. Our results 
highlight an important distinction between public redundancy functions, 
meaning those that the adversary can compute, and secret ones, meaning 
those that depend on the shared key between the legitimate parties. 



1 Introduction 

The idea that authenticity can be easily obtained as a consequence of the pri- 
vacy conferred by encryption has long attracted designers. Encryption-with- 
redundancy is the most popular paradigm to this end. Say that parties sharing 
key K are encrypting data via some encryption function £. (Typically this is 
some block cipher mode of operation.) To obtain authenticity, the sender com- 
putes some function h of the data M to get a “checksum” r = It then 

computes a ciphertext C f— £k{M\\t) and sends C to the receiver. The latter 
decrypts to get M\\t and then checks whether t = h{M). If not, it rejects the 
ciphertext as unauthentic. 

The attraction of the paradigm is clear: the added cost of providing authen- 
ticity is small, amounting to computation of the checksum function plus perhaps 
one or two extra block cipher invocations in order to encrypt the now longer mes- 
sage. (Designers attempt to use simple and fast checksum functions.) However, 
the paradigm has a poor security record. For example, using CBC encryption 
with the checksum being the XOR of the message blocks (called CBCC) was pro- 
posed by the U.S. National Bureau of Standards, and was subsequently found 

^ Other names for the checksum include MDC — Manipulation Detection Code — and 
“redundancy,” whence the name of the paradigm. 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 512- 15^ 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 
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to not provide authenticity, as discussed in |23rrfij . If the encryption algorithm 
is an additive stream cipher (e.g. CTR-mode encryption) where the adversary 
knows the plaintext, a forgery attacks by \T7iTm apply. An attack attributed to 
Wagner on a large class of CBC-mode encryption-with-redundancy schemes is 
described in M- 



1.1 General Results 

The many and continuing efforts to achieve authenticity via the encryption- 
with-redundancy paradigm point to the existence of some intuition that leads 
designers to think that it should work. The intuition appears to be that the 
privacy conveyed by the encryption makes attacks on the integrity harder. The 
first goal of our work is to assess the correctness of this intuition, and the security 
of the paradigm, at a general level. We are not concerned so much with the 
security of specific schemes as with trying to understand how the authenticity 
of the encryption-with-redundancy scheme relates to the security properties of 
the underlying primitives and to what extent the paradigm can be validated at 
a general level. 

We denote the base encryption scheme by S£ = (/Ce,£i,21). (It is specified by 
its key-generation, encryption, and decryption algorithms.) We are general with 
regard to the form of the redundancy computation method, allowing it to be key- 
based. A choice of method is given by a redundancy code TZC = {ICr, TL) where ICr 
is an algorithm responsible for generating a key Kr while TL takes Kr and the text 
M to return the redundancy or checksum r = TLKr{M). Associated to S£ and 
TZC is the encryption-with-redundancy scheme £TZ in which one encrypts message 
M via C ^ £kS^\\'^kX^))- Upon receipt of ciphertext C, the receiver applies 
T>k to get back M\\t and accepts iff t = TLk^{M)- Here Kg is the (secret) 
encryption key for S£. 

We distinguish public redundancy and secret redundancy. In the first case, 
Kj. is public information. ('H_r-,,(-) might be a public hash function like SHA-1, 
or simply return the XOR of the message blocks.) In this case, Kr is known 
to the adversary, who is thus capable of computing the redundancy function. 
In the case of secret redundancy, Kr is part of the secret key shared between 
the parties. (It might for example be a key for a universal hash function [11| 
or a message authentication code.) In this case the key Kr is not given to the 
adversary. 

The desired authenticity property of the encryption-with-redundancy scheme 
£TZ is integrity of ciphertexts mm-- it should be computationally infeasible for 
an adversary to produce a ciphertext that is valid but different from any created 
by the sender. 

We allow the assumed privacy attribute of the base encryption scheme to 
range across the various well-established notions of privacy used in the literature: 
IND-CPA, NM-CPA, IND-CCA. (Indistinguishability under chosen-plaintext at- 
tack fl 3l4j . non-malleability under chosen-plaintext attack and indistin- 
guishability under chosen-ciphertext attack, respectively. Recall that non-malle- 
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Type of base encryption 


Condition on redundancy code 


For public redundancy 


For secret redundancy 


IND-CPA 


None 


None 


NM-CPA 


None 


UF-NMA 


IND-CCA 


None 


UF-NMA 



Fig. 1. For each possible privacy attribute SSS-AAA of the base encryption scheme, 
we indicate a condition on the redundancy code that is necessary and sufficient for 
it to be integrity-providing with respect to SSS-AAA. We distinguish the cases where 
the redundancy is public (anyone can compute it) and secret (depends on the shared 
secret key). “None” means that the corresponding class of redundancy codes is empty: 
No redundancy code is integrity-providing. 



ability under chosen-ciphertext attack is equivalent to IND-CCA piTRj so we 
don’t need to consider it separately.) 

We say that a redundancy code TZC is integrity-providing with respect to se- 
curity notion SSS-AAA if for all base encryption schemes S£ that are SSS-AAA 
secure, the encryption-with-redundancy scheme £TZ obtained from S£ and TZC 
is secure in the sense of integrity of ciphertexts. (This property of a redundancy 
code is attractive from the design viewpoint, since a redundancy code having this 
property may be used in conjunction with any SSS-AAA-secure base encryption 
scheme, and authenticity of the resulting encryption-with-redundancy scheme is 
guaranteed.) The question we ask is the following. Given a notion of security 
SSS-AAA, what security attribute of the redundancy code TZC will ensure that 
TZC is integrity-providing with respect to security notion SSS-AAA? 

We find that an important distinction to be made in answering this question 
is whether or not the redundancy computation is secret-key based. Figure ^ 
summarizes the results we expand on below. 

Encryption with public redundancy. We show that there is no choice 
of public redundancy code TZC which is integrity-providing with respect to no- 
tions of security IND-CPA, NM-CPA or IND-CCA. This is a powerful indi- 
cation that the intuition that privacy helps provide integrity via encryption- 
with-redundancy is wrong in the case where the adversary can compute the 
redundancy function. 

This conclusion is not surprising when the base encryption scheme meets only 
a weak notion of privacy like IND-CPA. But one might have thought that there 
are redundancy codes for which a condition like NM-CPA on the base encryption 
scheme would suffice to prove integrity of ciphertexts for the resulting encryption- 
with-redundancy scheme. Not only is this false, but it stays false when the base 
encryption scheme has even a stronger privacy attribute like IND-CCA. 

Note that the most popular methods for providing redundancy are public, 
typically involving computing a keyless checksum of the message, and our result 
applies to these. 
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The result is proved by giving an example of a base encryption scheme meet- 
ing the notion of privacy in question such that for any redundancy code the 
corresponding encryption with public redundancy scheme can be attacked. (This 
assumes there exists some base encryption scheme meeting the notion of privacy 
in question, else the issue is moot.) 

Encryption with secret redundancy. As Figure Q indicates, allowing the 
computation of the redundancy to depend on a secret key does not help if the 
base encryption scheme meets only a weak notion of privacy like IND-CPA — no 
secret redundancy code is integrity-providing with respect to IND-CPA. 

However secret redundancy does help if the base encryption scheme has 
stronger privacy attributes. We characterize the requirement on the redundancy 
code in this case. We say that it is UF-NMA (UnForgeable under No-Message 
Attack) if it is a MAC for which forgery is infeasible for an adversary that is not 
allowed to see the MACs of any messages before it must output its forgery. Our 
result is that this condition on the redundancy code is necessary and sufficient 
to ensure that it is integrity-providing with respect to NM-CPA and IND-CCA. 

We stress that UF-NMA is a very weak security requirement, so the impli- 
cation is that allowing the redundancy computation to depend on a secret key 
greatly increases security as long as the base encryption scheme is strong enough. 
We also stress that our condition on the redundancy code is both necessary and 
sufficient. Still in practice, the implication is largely negative because standard 
modes of operation do not meet notions like NM-CPA or IND-CCA. 

Perspective. The above results do not rule out obtaining secure schemes from 
the encryption-with-redundancy paradigm. The results refer to the ability to 
prove authenticity of the encryption-with-redundancy scheme in general, mean- 
ing based solely on assumed privacy attributes of the base encryption scheme 
and attributes of the redundancy code. 

One might consider encryption with some specific redundancy code using as 
base encryption scheme a block cipher based mode of operation that is only IND- 
CPA secure, and yet be able to prove authenticity by analyzing the encryption- 
with-redundancy scheme directly based on the assumption that the block cipher 
is a pseudorandom permutation. This would not contradict the above results. 
What the above results do is show that the intuition that privacy helps integrity 
is flawed. Encryption-with-redundancy might work, but not for that reason. If a 
specific scheme such as the example we just mentioned works, it is not because of 
the privacy provided by the encryption, but, say, because of the pseudorandom- 
ness of the block cipher. In practice this tell us that to get secure encryption- 
with-redundancy schemes we must look at specific constructions and analyze 
them directly. This is what we do next. 

1.2 Encryption with NCBC 

We consider a variant of (random-IV) CBC mode encryption in which the en- 
ciphering corresponding to the last message block is done under a key different 
from that used for the other blocks. We call this mode NCBC. Here we are able 
to obtain positive results for both public and secret redundancy functions. 
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We show that if secret redundancy is used, quite simple and efficient redun- 
dancy codes suffice for the NCBC with redundancy scheme to provide authentic- 
ity. The redundancy code should satisfy the property called AXU (Almost Xor 
Universal) in mini. (Any Universal-2 function has this property and there 
are other efficient constructs as well |1 411 0f2| .l On the other hand we show that 
if the redundancy is public, then authenticity of the NCBC with redundancy 
scheme is guaranteed if the redundancy code is XOR- collision-resistant. (The 
latter, a cryptographic property we define, can be viewed either as a variant of 
the standard collision-resistance property, or as an extension of the AXU prop- 
erty to the case where the key underlying the function is public.) These results 
assume the underlying block cipher is a strong pseudorandom permutation in 
the sense of m- 

These results should be contrasted with what we know about encryption 
with redundancy using the standard CBC mode as the base encryption scheme. 
Wagner’s attack, pointed out in 123, implies that no public redundancy code 
will, in conjunction with CBC encryption, yield an encryption-with-redundancy 
scheme possessing integrity of ciphertexts. In the case where the redundancy 
is secret, Krawczyk 123 shows that it suffices for the redundancy code to be a 
MAC secure against chosen-message attack, but this is a strong condition on 
the redundancy code compared to the AXU property that suffices for NCBC. 
Thus, the simple modification consisting of enciphering under a different key for 
the last block substantially enhances CBC with regard to its ability to provide 
authenticity under the encryption-with-redundancy paradigm. 



1.3 Related Work 

Preneel gives an overview of existing authentication methods m that includes 
much relevant background. A comprehensive treatment of authenticated en- 
cryption — the goal of joint privacy and authenticity — is provided in 0. They 
relate different notions of privacy and authenticity to compare their relative 
strengths. 

Encryption-with-redundancy is one of many approaches to the design of au- 
thenticated encryption schemes. Another general approach is “generic composi- 
tion:” combine an encryption scheme with a MAC in some way. This is analyzed 
in 0, who consider the following generic composition methods: Encrypt-and- 
mac, Mac-then-encrypt, Encrypt- then-mac. For each of these methods they con- 
sider two notions of integrity, namely integrity of ciphertexts and a weaker notion 
of integrity of plaintexts, and then, assuming the base encryption scheme is IND- 
CPA and the MAC is secure against chosen-message attack, indicate whether 
or not the method has the integrity property in question. Krawczyk’s recent 
work m considers the same methods from the point of view of building “se- 
cure channels” over insecure networks. The drawback of the generic composition 
approach compared to the encryption-with-redundancy approach is that some 
MACs might be less efficient than redundancy codes, and that public redundancy 
avoids the additional independent key that is required for MACs. 
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Another general paradigm is “encode then encipher” [S| — add randomness 
and redundancy and then encipher rather than encrypt. Encode then encipher 
requires a variable-input length strong pseudorandom permutation, which can 
be relatively expensive to construct. 

Let SNCBC[F,TZC] denote NCBC encryption with block cipher F and se- 
cret redundancy provided by an efficient AXU redundancy code TZC. We com- 
pare this to other authenticated encryption schemes such as RPC mode m, 
lACBC ^7], and OCB [^. RPC is computation and space inefficient compared 
to all the other methods. lACBC and OCB have cost comparable to that of 
SNCBC[F,'RC], but OCB is parallelizable. 

Encryption-with-redundancy is one of many approaches to simultaneously 
achieving privacy and authenticity. Our goal was to analyze and better under- 
stand this approach. We do not suggest it is superior to other approaches. 



2 Definitions 

A string is a member of {0, 1}*. We denote by “||” an operation that combines 
several strings into one in such a way that the constituent strings are uniquely 
recoverable from the final one. (If lengths of all strings are fixed and known, 
concatenation will serve the purpose.) The empty string is denoted e. 

Extended encryption schemes. The usual syntax of a symmetric encrypt- 
ion scheme (cf. is that encryption and decryption depend on a key shared 
between sender and receiver but not given to the adversary. We wish to consider 
a setting where operations depend, in addition to the shared key, on some pub- 
lic information, such as a hash function. The latter may be key based. (Think 
of the key as having been chosen at random at design time and embedded in 
the hash function.) All parties including the adversary have access to this key, 
which we call the common key. We need to model it explicitly because security 
depends on the random choice of this key even though it is public. This requires a 
change in encryption scheme syntax. Accordingly we define an extended encrypt- 
ion scheme which extends the usual symmetric encryption scheme by addition 
of another key generation algorithm. Specifically an extended encryption scheme 
££ — (/Cc, /Cs, f , D) consists of four algorithms as follows. The randomized com- 
mon key generation algorithm K-c takes input a security parameter fc £ N and 
in time poly(fc) returns a key K^', we write A JCdk). The randomized secret 
key generation algorithm K.s also takes input fc £ N and in time poly(fc) returns 
a key Kg', we write Kg ICg{k). We let K = {Kc,Kg). The encryption algo- 
rithm £ is either randomized or stateful. It takes K and a plaintext M and in 
time poly(fc, \M\) returns a ciphertext C = £k{M); we write C A £k{M). (If 
randomized, it flips coins, anew upon each invocation. If stateful, it maintains 
a state which it updates upon each invocation.) The deterministic and stateless 
decryption algorithm T> takes the key K and a string C and in time poly(fc, |C|) 
returns either the corresponding plaintext M or the distinguished symbol T; we 
write X ^ T>k{C). We require that 'Dk{£k{M)) = M for all M £ {0, 1}*. 
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Notice that it is not apparent from the syntax why there are two keys because 
they are treated identically. The difference will surface when we consider security: 
we will view the legitimate users as possessing Kg while both they and the 
adversary have Kc- (It also surfaces in something we don’t consider explicitly 
here, which is a multi-user setting. In that case, although Kg will be generated 
anew for each pair of users, Kc may be the same across the whole system.) 

A standard symmetric encryption scheme, namely one where there is no com- 
mon key, can be recovered as the special case where the common key generation 
algorithm K-c returns the empty string. Formally, we say that SE = (/C, £, T>) is a 
(symmetric) encryption scheme if ££ = (/Cc, /C, £, 2?) is an extended encryption 
scheme where K-c is the algorithm which on any input returns the empty string. 
When the common key Kc is the empty string we may also omit it in the input 
given to the adversary. 

Notions of security. Notions of security for symmetric encryption schemes 
are easily adapted to extended encryption schemes by giving the adversary the 
common key as input. Via the formal definitions shown below and this discussion 
we will summarize the definitions we need. 

We let ££ = {JCc,JCg,£,T>) be the extended encryption scheme whose secu- 
rity we are defining. The formalizations, given in Definition Q] and Definition El 
associate to each notion of security and each adversary an experiment, and based 
on that, an advantage. The latter is a function of the security parameter that 
measures the success probability of the adversary. Asymptotic notions of security 
result by asking this function to be negligible for adversaries of time complex- 
ity polynomial in the security parameter. Concrete security assessments can be 
made by associating to the scheme another advantage function that for each 
value of the security parameter and given resources for an adversary returns the 
maximum, over all adversaries limited to the given resources, of the advantage 
of the adversary. 

Note that these definitions apply to standard symmetric encryption schemes 
too, since as per our conventions the latter are simply the special case of extended 
encryption schemes in which the common key generation algorithm returns the 
empty string. 

Privacy. The basic and weakest natural notion of privacy is IND-CPA. We use 
one of the formalizations of P] which adapts that of H3| to the symmetric setting. 
A challenge bit b is chosen, the adversary is given Kc, and can query, adaptively 
and as often as it likes, the left-or-right encryption oracle. The adversary wins if 
it can guess h. For IND-CCA the adversary gets in addition a decryption oracle 
but loses if it queries it on any ciphertext returned by the left-or-right encryption 
oracle. 

Non-malleability captures, intuitively, the inability of an adversary to change 
a ciphertext into another one such that the underlying plaintexts are meaning- 
fully related ini. We do not formalize it directly as per but rather via the 

equivalent indistinguishability under parallel chosen-ciphertext attack character- 
ization of jDl 1 8| . (This facilitates our proofs.) The adversary gets the left-or-right 
encryption oracle and must then decide on a vector of ciphertexts c. (It loses if 
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they contain an output of the left-or-right encryption oracle.) It is given their 
corresponding decryptions p and then wins if it guesses the challenge bit. 

The formal definition of privacy is below with the associated experiments. 

Definition 1. [Privacy] Let EE = {lCc,Kl.s,E ,T>) be an extended encryption 
scheme, b G {0, 1} a challenge bit and fc G N the security parameter. Let 
A be an adversary that outputs a bit d. The left-or-right encryption oracle 
Ek{J~.TZ{-, -,b)), given to the adversary A, takes input a pair {xq,Xi) of equal- 
length messages, computes ciphertext X G- Exixb), and returns X to the adver- 
sary. (It flips coins, or updates state for the encryption function, as necessary. 
If the input messages are not of equal length it returns the empty string.) Now 
consider the following experiments each of which returns a bit. 



Experiment Exp™^ ^(fc) 
A, A/Cc(fc); Ks^Ksik) 
K^{K„Ks) 

return d 



Experiment Exp™^ *’(fc) 

K, A /Cc(fc) ; K, A ICs{k) ; K ^ Ks) 

If T>k{-) was never queried on an output of 
Sk{CTZ{-, •, b)) then return d else return 0 



Experiment Exp^™^^^ *’(fc) 

K, A /C,(k) ; K, A /C4k) ; K G- (K,, K,) 

(c, s) G- Af^^^'’^‘''’'’‘’^\k, Kc) ; p •«- {T>k{ci), ■ ■ • ,t>K{cn)) ; d g- A^ip, c, s) 

If c contains no ciphertext output by Sk{CTZ{-, ■, b)) then return d else return 0 



For each notion of privacy sss-aaa G {ind-cpa, ind-cca, nm-cpa} we associate 
to the adversary A a corresponding advantage defined via 

Adv|^|;r (fc) = Pr [ Exp|Xr"'(fc) = 1 ] - Pr [ = 1 ] ■ 

For each security notion SSS-AAA G {IND-CPA, IND-CCA, NM-CPA}, the 
scheme EE is said to be SSS-AAA secure if the corresponding advantage func- 
tion, Adv|®|”^®''^(-) of any adversary F whose time-complexity is polynomial in 
k, is negligible. | 

Integrity. The formalization of integrity follows (Zj. The adversary is allowed 
to mount a chosen-message attack on the scheme, modeled by giving it access 
to an encryption oracle. Success is measured by its ability to output a “new” 
ciphertext that makes the decryption algorithm output a plaintext rather than 
reject by outputting T. Here the “new” ciphertext means that the ciphertext was 
never output by the encryption oracle as a response to the adversary’s queries. 
The formal definition of integrity is below with the associated experiment. 

Definition 2. [Integrity] Let EE = {JCcK-sjE,!)) be an extended encryption 
scheme, and fc G N the security parameter. Let B be an adversary that has access 
to the encryption oracle and outputs a ciphertext. Now consider the following 
experiment . 
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Experiment Exp“J 

Ks^lCs-, {K,, K,)- K,) 

If T>k{C) ^ A and C was never a response of Sk{-) then return 1 else return 0 

We associate to the adversary B a corresponding advantage defined via 
Adv“(fc) = Pr[Exp“(ft) = l] . 

The scheme SS is said to be INT-CTXT secure if the advantage function 
Adv“J of any adversary F whose time-complexity is polynomial in k, 

is negligible. | 



3 The Encryption-with-Redundancy Paradigm 

We describe the paradigm in a general setting, as a transform that associates to 
any given symmetric encryption scheme and any given “redundancy code” an 
extended encryption scheme. We first define the syntax for redundancy codes, 
then detail the constructions, separating the cases of public and secret redun- 
dancy, and conclude by observing that the transform always preserves privacy. 
This leaves later sections to investigate the difficult issue, namely the integrity 
of the extended encryption scheme with redundancy. 

Redundancy codes. A redundancy code TZC = (/Cr,'H) consists of two algo- 
rithms ICr and 'H. The randomized key generation algorithm JCr takes a security 
parameter k and in time poly(fc) returns a key Kr', we write Ky A ICr{k). 
The deterministic redundancy computation algorithm "H takes and a string 
M G {0, 1}* and in time poly(/c, \M\) returns a string r; we write r T-Luri^)- 
Usually the length of r is i{k) where £{■), an integer valued function that depends 
only on the security parameter, is called the output length of the redundancy 
code. We say that the redundancy is public if the key Kr is public and known to 
the adversary. We say the redundancy is secret if Kr is part of the shared secret 
key. 

Extended encryption schemes with redundancy. Let S£ = be 

a given (symmetric) encryption scheme, which we will call the base encryption 
scheme. Let TZC — {K-r^'H) be a given redundancy code as above. We define an 
associated extended encryption scheme with public redundancy and an associated 
extended encryption scheme with secret redundancy. 

Construction 1. The extended encryption scheme with public redundancy 
ET’TZ — {tCctCs, £,£>), associated to base encryption scheme S£ = {JCe,£,T>) 
and redundancy code TZC = {ICr^'H), is defined as follows: 



Algorithm ICc{k) 


Algorithm ICs{k) 


Algorithm £(Ke,Kr){M) 


Kr A ICr{k) 


Ae A /Ce(fc) 


t^UkAM) 


return Kr 


return Ks 


C^£kAM\\t) 
return C 



Algorithm T>^Ke,Kr){C) 
P^VkAC) 

Parse P as M\\t 
if 

then return A 
else return M 
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Note that the common-key generation algorithm returns the key for the redun- 
dancy function, which is thus available to the adversary. That is why we say the 
redundancy is public. | 



Construction 2. The extended encryption scheme with secret redundancy 
ESIZ — (ICcJCstS,!^), associated to base encryption scheme S£ = 
and redundancy code TZC = (/Cr,'H), is defined as follows: 



Algorithm K-dk) 


Algorithm ICs{k) 


Algorithm £(K^,Kr){M) 


return e 


K, A /Ce(fc) 


T ■(— 'H.Kr{M) 




Kr ^ K.r{k) 


c^SkAmWt) 




return {K^, Kr) 


return C 



Algorithm 'D^K^,Kr){C) 

N^VkAC) 

Parse N as M||r 

then return T 
else return M 



Note that the common key generation algorithm KLc returns the empty string e. 
We may omit the algorithm and write £STZ = (ICs,£,'D). The key for the 
redundancy function is part of the secret key not available to the adversary. | 



The symbol T is a distinct symbol that indicates that the ciphertext is not valid. 
When we refer to an extended encryption scheme with redundancy in general 
we mean either of the above, and denote it by £TZ. 

Privacy is preserved. We now present a theorem regarding the privacy of 
an extended encryption scheme with redundancy. It applies both to the case of 
public and to the case of secret redundancy. The theorem below says that the 
encryption scheme with redundancy inherits the privacy of the base symmetric 
encryption scheme regardless of the redundancy code being used. This means 
that privacy depends only on the underlying encryption scheme, not on the 
redundancy code. The proof is straightforward and can be found in the full 
version of this paper p. 

Theorem 1. [Privacy of an extended encryption scheme with redun- 
dancy] Let S£ = {ICe,£,'D) be a symmetric encryption scheme and let TZC — 
{K.r,Ti) he a redundancy code. Let £TZ = (ICc,ICs,£,'D) be an associated ex- 
tended encryption scheme with redundancy, either public or secret. Then if S£ 
is IND-CPA (resp. LND-CCA, NM-CPA) secure, so is £TZ. I 

For simplicity we have stated the theorem with reference to asymptotic notions 
of security but we remark that the reduction in the proof is tight, and a concrete 
security statement reflecting this can be derived from the proof. 



4 Encryption with Public Redundancy 

Here we will show that in general the encryption with public redundancy para- 
digm fails in a strong way, meaning there is a base encryption scheme such that 
for all choices of public redundancy code, the associated extended encryption 
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scheme with public redundancy scheme (cf. Construction ^ fails to provide in- 
tegrity. This is true regardless of the security property of the base encryption 
scheme (i.e. IND-CPA, NM-CCA, or IND-CCA). 

The result follows the paradigm of similar negative results in m- We must 
make the minimal assumption that some encryption scheme S£' secure in the 
given sense exists, else the question is moot. We then modify the given encryption 
scheme to a new scheme S£ so that when S£ becomes the base encryption scheme 
of the extended encryption scheme with public redundancy, we can provide an 
attack on the integrity of the latter. The proof of the following theorem can be 
found in the full version of this paper PJ • 

Theorem 2. [Encryption with public redundancy] Suppose there exists 
a symmetric encryption scheme S£' which is IND-CCA (resp. IND-CPA, NM- 
CPA) secure. Then there exists a symmetric encryption scheme S£ which is also 
IND-CCA (resp. IND-CPA, NM-CPA) secure but, for any redundancy code IZC, 
the extended encryption scheme with public redundancy £VIZ associated to S£ 
and IZC is not INT-CTXT secure. | 

5 Encryption with Secret Redundancy 

In this section, we examine encryption schemes with secret redundancy in general 
so as to whether or not they provide integrity. 

The following theorem states the negative result where the base encryption 
scheme is IND-CPA secure. The proof can be found in the full version of this 
paper Q. 

Theorem 3. [IND-CPA encryption with secret redundancy] Suppose 
there exists a symmetric encryption scheme S£' which is IND-CPA secure. Then 
there exists a symmetric encryption scheme S£ which is also IND-CPA secure 
but, for any redundancy code IZC, the extended encryption scheme with secret 
redundancy £S1Z associated to S£ and IZC is not INT-CTXT secure. I 

For the positive result, we define below the (necessary and sufficient) security 
property required of the redundancy code. 

We define a notion of unforgeability under no message attack (UF-NMA), 
which is the weakest form of security required of a MAC (message authentica- 
tion code) — roughly, the adversary wins if it outputs a valid message and tag 
pair without seeing any legitimately produced message and tag pairs. Since a 
MAC and a redundancy code are syntactically identical, we adopt the weakest 
security notion of a MAC as the security notion of a redundancy code. The for- 
mal definition is given below. Note that, in the attack model, the key to the 
redundancy code is not given to the adversary, indicating that the redundancy 
is secret. 

Definition 3. [Unforgeability under no message attack (UF-NMA)] Let 

IZC = {ICr, H)hea, redundancy code. Let fc G N . Let F be an adversary. Consider 
the following experiment: 
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Algorithm ICe{k) 
ai A{0,1}" 

Return (ai||a 2 ) 



Algorithm 

Parse X as • • • Xn+i 
I/O A {0,1}' 

For i = 1, • ■ • , n do 
yi ^ — 1 ® x-i) 

r/n + l ^ Ect2 (yn CD 2^n+l) 
Return yoyi ■ ■ ■ y„+i 



Algorithm ©aiHaaC^) 

Parse Y as yoyi ■ ■ ■ yn+i 
For i = 1, ■ • • , n do 

Xi ^ ^ai {yi) © yi — 1 
xn+1 1— (j/’^+i) ® y^T- 

X ^ X\ • ■ • Xn+l 
Return X 



Fig. 2. Nested CBC encryption scheme NCBC[F] = {Xe,S,T>). 



Experiment 

Kr A Kr{k) ; (M,r) ^ F{k) 

If T = then return 1 else return 0 



We define the advantage of the adversary via, 



(fc) — Pr — 1 

The redundancy code TZC is said to be UF-NMA secure if the function 
is negligible for any adversary F whose time complexity is poly- 
nomial in fc. I 



The following theorem states the positive results. The proof can be found in the 
full version of this paper 

Theorem 4. [NM-CPA or IND-CCA encryption with secret redun- 
dancy] Let S£ be a symmetric encryption scheme which is NM-CPA or IND- 
CCA secure and let TZC be a redundancy code. Then the extended encryption 
scheme with secret redundancy £STZ associated to S£ and TZC is INT-CTXT 
secure if and only if the redundancy code TZC is UF-NMA secure. | 



6 Nested CBC (NCBC) with Redundancy 

In this section, we will consider a “natural” variant of CBC encryption, called 
“Nested CBC (NCBC)”, designed to eliminate length-based attacks. The de- 
tailed description of NCBC is given below. 

Let F\ (0, 1}'^ X (0, 1}' — >■ (0, 1}' be a family of permutations (i.e. a block 
cipher). We let Fa{-) = F{a, •) and we let F~^ denote the inverse of Fa, for any 
key a G {0,1}”. Our variant of CBC encryption involves the use of two keys 
instead of just one. The additional key is used for the last iteration of the block 
cipher. We call this variant of CBC the Nested CBC (NCBC) and denote it by 
NCBC[F] = {fCe,£,D). The algorithms for the NCBC encryption scheme are 
shown in Figure 0- We assume that the messages have length a multiple of the 
block length 1. 

Given the NCBC encryption scheme, we examine what kinds of security prop- 
erties for the redundancy code will provide integrity of ciphertexts for the en- 
cryption scheme with redundancy. We examine this for both public redundancy 
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and secret redundancy. In order to facilitate the practical security analyses, we 
will make concrete security assessments for the schemes examined in this section. 

Since the security of the NCBC scheme is based on the security of the under- 
lying block cipher (as well as that of the redundancy code), we first define the 
security property of the underlying block cipher on which our security analysis 
will be based. 

Block ciphers are usually modeled as “pseudorandom permutations” (some- 
times even as “pseudorandom functions” ) ^ . However, we use a stronger notion 
called strong pseudorandom permutation (SPRP) 1221 . where the adversary gets 
access to both forward and inverse permutation oracles in the attack model. 



Definition 4. [Strong pseudorandom permutation (SPRP)] 

Let F\ { 0 , 1 }"^ X { 0 , 1 }^ — >■ { 0 , 1 }* be a block cipher with key-length k and block- 
length 1. Let P* be the family of all permutations on /-bits. Let k G N and 
b G { 0 , 1 }. Let D be an adversary that has access to oracles g{-) and g~^{-). 
Consider the following experiment: 

Experiment Exp})/}^ '^(fc) 

If & = 0 then g 4^ P'- else K A (0, lY ] g G- Fk 
d G- Dfftd.s ^'Yk) ; return d 

We define the advantage and the advantage function of the adversary as follows. 
For any integers t,q > 0, 



Adv}?}P(fc) = Pr [Exp}?}P-i(fc) = 1 



— Pr 



Exp 



sprp-0 

F,D 



(fc) = i 



AdVp‘^P(fc, t, g) = nmx |Adv}!/)^(fc)| 



where the maximum is over all D with time complexity t, making at most q 
queries to the oracles g{-) and < 7 “^(-). The block cipher F is said to be SPRP 
secure if the function Adv}!?}^(A:) is negligible for any adversary D whose time 
complexity is polynomial in k. | 

The “time-complexity” refers to that of the entire experiment. Here, the choice 
of a random permutation g is not made all at once, but rather g is simulated in 
the natural way. 



6.1 NCBC with Secret Redundancy 

Here we examine what kind of property on the redundancy code suffices to 
make the NCBC with secret redundancy provide integrity. We denote by 
SNCBClF.TZC] = {Kst£,V) the extended encryption scheme with secret re- 
dundancy associated to the NCBC encryption scheme NCBC[F] = {K.e,£,'D) 
and a redundancy code TZC = (/Cr,"H). 

It turns out that the NCBC scheme with secret redundancy provides integrity 
if the underlying secret redundancy meets the notion of almost XOR universal 
(AXU) introduced in 1 2UI25j . 
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Definition 5. [Almost XOR Universal (AXU)] Let TZC = be a 

redundancy code whose output length is i{k), where /c S N. We define the 
advantage function of the redundancy code TZC as follows. 






max 



|Pr TLKrix) © T-LkA^') = r : 



K, 



A/C, 



■A)]} 



where maximum is taken over all distinct x, x' of length at most /i each, and all 
r e I 

We now state the theorem concerning the security of NCBC scheme with secret 
redundancy. The proof can be found in the full version of this paper Q. 

Theorem 5. [Integrity of NCBC with secret redundancy] Let TZC be a 

redundancy code whose output length is l-bits. Let F : {0, 1}” x {0, 1}^ — > {0, 1}* 
be a block cipher, and let NCBC[F] be the NCBC encryption scheme based on F. 
Let SNCBC[F,TZC] be the extended encryption scheme with secret redundancy 
associated to NCBC[F] and TZC. Let fc G N. Then 

~ 2 — ^ m) + + Adv^"^P(/c, /, g + ^//) | 



6.2 NCBC with Public Redundancy 

The NCBC with public redundancy scheme also provides authenticity if a cer- 
tain condition on the underlying redundancy code is satisfied. We denote by 
PNCBC[F,TZC] = {lCc,lCs,£,'D) the extended encryption scheme with public 
redundancy associated to the NCBC encryption scheme NCBC[F] = {K.e,£,'D) 
and a redundancy code TZC = {Kr,Ti). 

We want to examine what kind of security property for the underlying public 
redundancy suffices to make the NCBC scheme with public redundancy provide 
integrity. It turns out that, for the redundancy code, a cryptographic prop- 
erty called “XOR-collision-resistance” suffices to provide integrity for the NCBC 
scheme with public redundancy. XOR-collision-resistance is slightly stronger 
than “collision-resistance”. Roughly, a redundancy code TZC = (ICr,'H) is said 
to be XOR-collision-resistant (XCR) if it is “hard” to find strings x,x' where 
X ^ x' such that = r for any committed value r and any given 

key Kr- We define XOR-collision-resistance (XCR) more formally as follows. 

Definition 6. [XOR-Collision-Resistance (XCR)] Let TZC = {Xr,TL) be a 
redundancy code whose output length is i{k), where fc G N. Let B = (81,82) 
be an adversary. Consider the following experiment: 

Experiment Exp]Skc,b(^) 

(r, s) ^ Bi(k) ; Kr A Xr(k) ; (x, x') ^ B2(Kr, r, s) 

if T~LKr(x) © ^ifr(A) = r and x ^ x' then return 1 else return 0 
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Above, the variable s denotes the state information. We define the advantage 
and the advantage function of the adversary via, 

Adv — Pi' [ 1 ] 

Advp'i^j,(fc,t) = max {Advpf^^;. ^(fc)} 

ti 

where the maximum is over all B with time complexity t. The scheme VTZC 
is said to be XCR secure if the function Adv^'l^^. ^(/c) is negligible for any 
adversary A whose time complexity is polynomial in A:. | 

XOR-collision-resistance (XCR) as defined above is a new notion that has not 
been explicitly studied in the literature. In XCR, the adversary first outputs a 
string r and then obtains the key to the function. The adversary’s goal is to find 
a pair of strings x, x' (called an “XOR-collision” pair) such that the XOR of 
their images equals r. 

Given the definitions for the security properties of the underlying primitives, 
we now state the theorem regarding the security of the PNCBC scheme. Follow- 
ing that we will further discuss XCR redundancy codes. The proof can be found 
in the full version of this paper . 

Theorem 6. [Integrity of NCBC with public redundancy] Let TZC be a 

redundancy code whose output length is l-bits. Let F: {0, 1}” x {0, 1}^ — >■ {0, 1}* 
be a block cipher, and let NCBC[F] be the NCBC encryption scheme based on F. 
Let PNCBC[F,TZC] be the extended encryption scheme with public redundancy 
associated to NCBC[F] and TZC. Let fc G N. Then 

Advp^^gp[^_.^q {k, t, q, p) 

< mq ■ Adv^“ t') + 2i-m 2{2^~ m) ^ ^ t,q + m) 

where m = p/l. I 

We now further discuss XCR redundancy codes. Note that the XCR property can 
be thought of as a cryptographic counterpart of the AXU property described in 
the previous section. The combinatorial property of AXU (for secret redundancy) 
is weaker, and therefore, easier to implement than the cryptographic property of 
XCR (for public redundancy). This tells us that by adding the power of secrecy 
to the redundancy code, one can achieve the same security (i.e. integrity) for 
the NCBC with redundancy scheme under a weaker security assumption on the 
underlying redundancy code. 

What are candidates for XCR redundancy codes? Note that an unkeyed hash 
function like SHA-1 does not yield an XCR redundancy code. Indeed, an adver- 
sary can choose any distinct x,x', and let r = SHA-l(a;) © SHA-l(a;'). It can 
output r in its first stage, and x,x' in its second, and win the game. An XCR 
redundancy code must be keyed. A keyed hash function is a good candidate. 
Specifically, we suggest that HMAC |3j is a candidate for a XCR redundancy 
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code. In the full version of this paper 0 we discuss other constructions including 
a general way to transform any collision-resistant function into an XCR redun- 
dancy code. 
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Abstract. We define a new mode of operation for block encryption 
which in addition to assuring confidentiality also assures message in- 
tegrity. In contrast, previously for message integrity a separate pass 
was required to compute a cryptographic message authentication code 
(MAC). The new mode of operation, called Integrity Aware CBC 
(lACBC) requires a total of m -|- 2 block encryptions on a plain-text 
of length m blocks. The well known CBC (cipher block chaining) mode 
requires m block encryptions. The second pass of computing the CBC- 
MAC essentially requires additional m block encryptions. A new highly 
parallelizable mode (lAPM) is also shown to be secure for both encryp- 
tion and message integrity. 



1 Introduction 

Symmetric key encryption is an integral part of world of communication today. 
It refers to the schemes and algorithms used to communicate data secretly over 
an insecure channel between parties sharing a secret key. It is also used in other 
scenarios like data storage. 

There are two primary aspects of any security system: confidentiality and au- 
thentication. In its most prevalent form, confidentiality is attained by encryption 
of bulk digital data using block ciphers. The block ciphers (e.g. DES which 
are used to encrypt fixed length data, are used in various chaining modes to 
encrypt bulk data. One such mode of operation is cipher block chaining (CBC) 
( |1I9I14| ). The security of CBC has been well studied 0. 

Cipher block chaining of block ciphers is also used for authentication be- 
tween parties sharing a secret key. The CBC-MAC (CBC Message Authenti- 
cation Code) is an international standard PO]- The security of CBC-MAC was 
demonstrated in Pj. Authentication in this setting is also called Message In- 
tegrity. 

Despite similar names, the two CBC modes, one for encryption and the other 
for MAC are different, as in the latter the intermediate results of the computation 
of the MAC are kept secret. In fact in most standards (TLS, IPsec [19117) 1 and 
proprietary security systems, two different passes with two different keys, one 
each of the two modes is used to achieve both confidentiality and authentication. 

Nevertheless, it is enticing to combine the two passes into one so that in a 
single cipher block chaining pass, both confidentiality and authentication are as- 

B. Pfitzmann (Ed.): EUROCRYPT 2001, LNCS 2045, pp. 529-|^l 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 
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sured. Many such attempts have been made, which essentially use a simple check- 
sum or manipulation detection code (MDC) in the chaining mode 1 [1 fill MOp . 
Unfortunately, all such previous schemes are susceptible to attacks (see e.g. CHI). 

We mention here that there are two alternative approaches to authenticated 
encryption. The first is to generate a MAC using universal hash functions as 
in UMAC (PI). UMACs on certain architectures can be generated rather fast. 
However, UMAC suffers from requiring too much key material or a Pseudoran- 
dom number generator (PRNG) to expand the key. In another scheme, block 
numbers are embedded into individual blocks to thwart attacks against message 
integrity m)- However, this makes the cipher-text longer. 

In this paper, we present a new variant of CBC mode, which in a single 
pass achieves both confidentiality and authentication. To encrypt a message of 
length m blocks, it requires a total of {m + logm) block encryptions. All other 
operations are simple operations, like exclusive-or. To contrast this with the 
usual CBC mode, the encryption pass requires in block encryptions, and the 
CBC-MAC computation requires another m block encryptions. 

Our new mode of operation is also simple. A simpler (though not as efficient) 
version of the mode just requires a usual CBC encryption of the plain-text 
appended with the checksum (MDC), with a random initial vector r. As already 
mentioned, such a scheme is susceptible to message integrity attacks. However, if 
one “whitens” the complete output with a random sequence, the scheme becomes 
secure against message integrity attacks. Whitening just refers to xor-ing the 
output with a random sequence. The random sequence could be generated by 
running the block cipher on r -|- 1, r + 2, ... r + m (but with a different shared 
key). This requires m additional cryptographic operations, and hence is no more 
efficient than generating a MAC. 

The efficiency of the new mode comes from proving that the output whiten- 
ing random sequence need only be pair-wise independent. In other words, if the 
output whitening sequence is Si, S 2 ,...Sm, then each Si is required to be random, 
but only pairwise-independent of the other entries. Such a sequence is easily gen- 
erated by performing only log m cryptographic operations like block encryption. 
A simple algebraic scheme can also generate such a sequence by performing only 
two cryptographic operations. 

In fact, an even weaker condition than pair-wise independence suffices. A 
sequence of uniformly distributed n-bit random numbers si, S 2 ,...Sm, is called 
pair-wise differentially-uniform if for every n-bit constant c, and every pair i, j, 
i ^ j, probability that Si © sj is c is 2“". We show that the output whitening 
sequence need only be pair-wise differentially-uniform. A simple algebraic scheme 
can generate such a sequence by performing only one cryptographic operation. 

The pair-wise independent sequence generated to assure message integrity 
can also be used to remove chaining from the encryption mode while still as- 
suring confidentiality. This results in a mode of operation for authenticated en- 
cryption which is highly parallelizable. Once again, we show that a pair-wise 
differentially-uniform sequence suffices to guarantee security of both confiden- 
tiality and authentication in this parallelizable version. 
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Recently and independently, Gligor and Donescu (0) also described a mode 
of operation similar to CBC (but not the parallelizable mode) which has built- 
in message integrity, although with a slightly weaker security bound than our 
construction. 

The rest of the paper is organized as follows. Section 2 describes the new mode 
of operation. Section 3 gives definitions of random permutations, and formalizes 
the notions of security, for both confidentiality and message integrity. In section 
4 we prove that the new (parallelizable) scheme is secure for message integrity. 
In section 5 we state the secrecy theorem of the new mode of operation. 

2 The New Modes of Operation 

We begin by defining two properties of sequence of random numbers which are 
slightly weaker than the well known pair-wise independence property. The first 
property also appeared in jS). 



2.1 Pairwise Differentially-Uniform Random Numbers 

Definition 2.1 (pair-wise differentially-uniform) : A sequence of uniformly dis- 
tributed n-bit random numbers si, S 2 , ..., Sz, is called pair-wise differentially- 
uniform if for every n-bit constant c, and every pair i, j, i j, probability that 
Si 0 Sj is c is 2“". 

Definition 2.2 A sequence of random numbers s\,S 2 t--,Sz uniformly distributed 
in GFp, is called pair-wise differentially-uniform in GFp if for every constant c 
in GFp, and every pair i, j, i j, probability that (st — sj) mod p is c is 1/p. 

2.2 The New Modes — lACBC and lAP 

Now we describe the new modes of operation for encryption, which also guarantee 
message integrity. We will describe the parallelizable mode in more detail, as it 
is for this mode that we provide detailed proofs in this paper. 

The mode similar to GBG is called lACBC for integrity aware cipher block 
chaining. It is described in Fig 1. The parallelizable mode is called lAPM for 
integrity aware parallelizable mode. It is described in Fig 2. We now give more 
details for lAPM. After reading the details for lAPM, the definition of lAGBG 
will be clear from Fig 1. 

Let n be the block size of the underlying block cipher (or pseudo-random 
permutation). For now we assume that if the block cipher requires keys of length 
k, then this mode of operation requires two keys of length k . Let these keys be 
called K1 and K2. From now on, we will use fx to denote the encryption function 
under key x. The same notation also holds for pseudo-random permutations. 

The message to be encrypted P, is divided into blocks of length n each. Let 
these blocks be Pi,P 2 , ...P^-i. As in GBG, a random initial vector of length n 
(bits) is chosen. This random vector r is expanded into t = 0(log z) new random 
vectors Wi, ...Wt using the block cipher and key K2 as follows: 
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r+1 r+2 r+t 






Fig. 1. Encryption with Message Integrity (lACBC) 




Fig. 2. Parallelizable Encryption with Message Integrity (lAPM) 



Wi = fK2(r) 
for i = 2 to i do 

w, = fK2{Wi + i-2) 
end for 

As we will show in section 4, with high probability, the t vectors are independent. 
The t random and independent vectors are used to prepare z + 1 new pair-wise 
differentially-uniform random vectors Sq, Si, Sz- There are several ways to 
generate such a sequence, some requiring t to be only one. Such a scheme will 
be described towards the end of this section. For now, consider the following 
method using subsets {t = |"log(z + 2)]): 
for t = 1 to 2* — 1 do 

Let < 01 , 02 , ■■■at > be the binary representation of i 
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Si-1 — 
end for 

The summation in the for loop above is an xor-sum. 

The cipher-text message C = < Co,Ci, ...,Cz > is generated as follows (see 
Figure 2). The encryption pseudo-code follows: 

Co = r 

for t = 1 to z — 1 do 
Mi = P, ® Si 
N, = fKi{M,) 

Ci = Ni ® Si 
end for 

checksum = J2iZi Pi 
Mz = checksum © Sz 
Nz = fKl{Mz) 

Cz = Nz ® So 

Again, the summation above is an xor-sum. Note that So is used in the last 
step. 

It is easy to see that the above scheme is invertible. The inversion process 
yields blocks Pi, P 2 , Pz- The decrypted plain-text is < P\, P 2 , Pz-i >■ 
Message integrity is verified by checking Pz = Pi ® P 2 ® ■■■ ® Pz-i- 

The random vectors Wi,...Wt can also be generated as in Fig 1, in which 
case Co is set to //ci(r) (instead of r). 

There are many other ways of generating the pair-wise differentially-uniform 
vectors Sq, Si, ..., Sz (z < 2”). One could generate a sequence of pairwise differ- 
entially uniform vectors by an algebraic construction in GFp as follows: generate 
two random vectors Wi, and W 2 , and then let Si = {Wi + W 2 * i) modp, where 
p is a prime of appropriate size. For example, if the block cipher has block size 
64 bits, p could be chosen to be 2®"* — 257. This leads to a fast implementation. 

A sequence of 2” — 1 n-bit uniform random numbers, which are pair-wise 
differentially uniform, can also be generated by viewing the n-bit numbers as 
elements of GF(2”). Gonsider, Si = e{i) ■ W , where IF is a random number 
in GF(2"), e{i) is a one to one function from Z 2 ^-i to non-zero elements of 
GF(2"), and the multiplication is in GF(2"). Then Si is a pair-wise differen- 
tially uniform sequence of uniformly distributed random numbers. Note that 
this requires generation of only one IF (i.e. t = 1). 

The GFp construction with only one IF, instead of two, is not pair-wise differ- 
entially uniform (as opposed to the previous construction in GF(2")). However, 
it is pair-wise differentially uniform in GFp (see definition 2.2). More precisely, 
the sequence Si = (Wi * i) mod p, is pair-wise differentially uniform in GFp 
(assuming IFi is uniformly distributed in GFp). Such a sequence can be used 
securely in a slight variant of the mode described above where “whitening” now 
refers to addition modulo 2" (see section 4.2). 
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3 Encryption Schemes: 

Message Security with Integrity Awareness 

We give definitions of schemes which explicitly define the notion of secrecy of 
the input message. Of course, pseudo-random permutations can be used to build 
encryption schemes which guarantee such message secrecy (i- ini). 

In addition, we also define the notion of message integrity. Moreover, we allow 
arbitrary length input messages (upto a certain bound). 

Let Coins be the set of infinite binary strings. Let l{n) = and w{n) = 

0{n). Let Af be the natural numbers. 

Definition A (probabilistic, symmetric, stateless) encryption scheme with mes- 
sage integrity consists of the following: 

— initialization: All parties exchange information over private lines to estab- 
lish a private key x G {0, 1}". All parties store x in their respective private 
memories, and |a:| = n is the security parameter. 

message sending with integrity: 

Let B : {0, 1}” x Coins x Af x {0, ^ {0, x Af 

D : {0, 1}” X Af X {0, ^ {0, x Af 
MDC : Af X {0, ^ {0, 

be polynomial-times function ensembles. In E, the third argument is supposed 
to be the length of the plain-text, and E produces a pair consisting of cipher- 
text and its length. Similarly, in D the second argument is the length of the 
cipher-text. We will drop the length arguments when it is clear from context. 
The functions E and D have the property that for all x G {0, 1}", for all P G 
CG Coins 

D,{E,{c,P)) = P\\MBC{P) 

We will usually drop the random argument to E as well, and just think of E 
as a probabilistic function ensemble.lt is also conceivable that MDC may depend 
on Coins, cipher-text. 

Definition {Security under Find-then-Guess |2|) Consider an adversary A that 
runs in two stages. During the adversary’s find stage he endeavors to come up 
with a pair of equal length messages, P^, whose encryptions he wants to tell 
apart. He also retains some state information s. In the adversary’s guess stage 
he is given a random cipher-text y for one of the plain-texts P^, together 
with s. The adversary is said to “win” if he correctly identifies the plain-text. 

An Encryption Scheme is said to be (t, q, p,, e)-secure in the find-then-guess 
sense, if for any adversary A which runs in time at most t and asks at most q 
queries , these totaling at most yi bits, 

AdvA= 2 .Pr[(P°, pi, (find); 6^{0, 1}; y^E,{P'^) : 

A^^^'\guess,y,s) = 6] — 1 < e 
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The following notion of security is also called integrity of ciphertext (|H)- 
Definition {Message Integrity): Consider an adversary A running in two stages. 
In the first stage {find) A asks r queries of the oracle E^- Let the oracle replies 
be C^, ...C"'. Subsequently, A produces a cipher-text C' , different from each C*, 
i G [1 ■•*"]• Since D has length of the cipher-text as a parameter, the breakup of 
Dx{C) as P'\\P" , where \P"\ = w{n), is well defined. The adversary’s success 
probability is given by 



Succ = Pr[MDC(P') = P”] 

An encryption scheme is secure for message integrity if for any adversary A, A’s 
success probability is negligible. 

4 Message Integrity 

In this section we show that the mode of operation lAPM in Fig 2 guarantees 
message integrity with high probability. 

In the following theorem, we will assume that the block cipher (under a key 
fQ) is a a random permutation F. We also assume that the t W’s are generated 
using an independent random permutation G (for instance, using a different key 
A12 in a block cipher). 

Let the adversary’s queries in the first stage be ...P™. We write 

in lower case, as for each adversary p^ is fixed. All random variables will be 
denoted by upper case letters. Let the corresponding ciphertexts be C^, ...,C"". 
We will use C to denote the sequence of ciphertext messages C^, ..., C"". For all 
random variables corresponding to a block, we will use superscripts to denote 
the message number, and subscripts to denote blocks in a particular message. 
Thus C) will be the random variable representing the jth block in ciphertext 
message i. More precisely, this variable should be written C!j{F,G), as it is a 
function of the two permutations. However, we will drop the arguments when it 
is clear from context. 

Let the adversary’s query in the second stage be cipher-text C", different 
from all ciphertexts in the first stage. We will use primed variables to denote the 
variables in the second stage. 

We will use W to denote the set of variables {Wf : i G j G U 

{Wjjj G [l..t]}. We will use 5* {S') to denote masks or “whitening” blocks 
generated using W' {W resp). Any method can be used to generate S' from 
W', as long as S' are pairwise differentially uniform. For a particular adversary, 
S' is a function of permutation G and the initial vector, and hence should (more 
precisely) be written as S'{G, Cq{F, G)) {Gq{F, G) being the IV used to generate 
W)). But, we will drop the arguments as it will be clear from context. For any 
constant r, we will denote by S' (r) the random variable S' {G, r) . 

The variables M and N are as in Fig 2. For example, M' = P' © S'. 

We start with some informal observations to aid the reader in the eventual 
formal proof. Since the new ciphertext G' is different from all old ciphertexts. 
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it must differ from each old ciphertext C* in a least block number, say d{i). 
For each C* (except at most one C^), the block number d{i) = 0, with high 
probability. In Lemma 3 we show that with high probability is different 

from all old Nj, and all other new N' blocks (except for a special case). Thus, 
is random. Then it follows (Theorem 1) that in either case the checksum 
is unlikely to validate. 

We first prove the theorem for schemes in which the pairwise differentially 
uniform sequence is generated using only one W , i.e. t = 1. The general case is 
addressed in a later subsection. 

Theorem 1. Let A he an adversary attacking the message integrity of lAPM 
(t = 1) with random permutations F and G. Let A make at most m queries in 
the first stage, totaling at most p blocks. Let u = p + m. Let v be the maximum 
number of blocks in the second stage. Then for adversary A, 

Succ < (2 * + (m + 1)^ + u + u + 2 + o(l)) * 2“" 



Proof: 

In the first stage the adversary makes queries with a total of at most m plain- 
text messages (chosen adaptively). W.l.o.g. assume that the adversary actually 
makes exactly m total message queries in the first stage. Let L* be the random 
variable representing the length of ciphertext C* (i.e. the checksum block has 
index L* — 1). Similarly, L' will denote the length of C". 

We prove that either the adversary forces the following event EO, or the event 
El happens with high probability. In either case the checksum validates with low 
probability. 

The first event EO is called deletion attempt, as the adversary in this case 
just truncates an original ciphertext, but retains the last block. 

Event EO {deletion attempt): There is an f G such that 2 < L' < L*, 

and 

(f) Vj G [0..L' - 2] : C' = C] 
and ill) Cf._, = 

Event El says that there is a block in the new ciphertext C", such that its 
N variable is different from all previous Ns (i.e. from original ciphertexts from 
the first stage), and also different from all other new Ns. 

Event El: there is an a: G \\..L' — 1] such that 

(z) Vs G [l..m]Vj G [1..L® - 1] : IV' 

and (zz) Vj G [I..L' — 1], j a: : IV' y^ IVj 

We next show that in both cases (i.e EO or El) the checksum validates with 
low probability. 

For the case that EO happens, we have (since S' = S' and N'^,_^ = IV|^i_^), 
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L'-l L'-2 

L'-2 V-2 

= E (^) + E (^) + = 0 

i=i i=i 

Note that r® can be chosen after P® has been determined (as P® is a deterministic 
function of . . . ,(7®“^), and hence the S'®s are independent of P®. Since the 
S'®s are pairwise differentially uniform and L' < L®, the above event happens 
with probability at most 2“®®. 

For the case El, by Lemma 2, the checksum validates with probability at 
most 1/(2®® — u — v) 

Thus the adversary’s success probability is upper bounded by 

Prh(P0 V PI)] + 1 r + ^ 

^ ^ 2®® - (u + u) 2®® 

which by Lemma 3 is at most 

(m^ + to^ + w + w + 2)* 2“®® + { u ^ + (to + 1)^) * 2“®® + 0{u + u) * 2“^" 

□ 

Lemma 2: Pr^E^ P' = 0\ El] < a„_(E) 

Proof: F being a random permutation, under El, can not take values 

already assigned to F~^{Nj), s G [1..to], j G [1..L®® — 1]. Also, F~^{N'^) can 
be chosen after F~^{Nj) have been assigned values {j ^ x). Thus, under the 
condition that event El has happened we have that M'^ = F~^{N'^) can take 
any of the other values, i.e. excluding the following (at most) (/r + to) + P' — 2 
values, with equal probability (independently of C, C , r®, i G [1..to], G, and 
hence independently of W, and independent of El itself): 

~ values already taken by Mf, for each s, and 

~ the values to be taken (or already fixed) by M®, j G [1..P' — 1], j ^ x. 

Now, eE' Pj = 0 iff 

L'-l 

p-i(iV') = M' = ^ (Mj © S') © S', 

i=l 

Given any value of the RHS, since the LHS can take (at least) 2®® — (u + u — 2) 
values, the probability of LHS being equal to RHS is at most 1/(2®® — (m + v)). 
□ 

Lemma 3: Let events E0,E1 be as in Theorem 1. Then, 

Probh(E0 V El)] < + u + v) * 2"®® + (u^ + (to + 1)^) * 2"®® 

Proof: We first calculate the probability of event (POVPl) happening under the 
assumption that F and G are random functions (instead of random permuta- 
tions). Since P (and G) is invoked only u times ((to© 1) times resp.), a standard 
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argument shows that the error introduced in calculating the probability of event 
(EO V El) is at most + (m + 1)^) * 2“”. 

We now consider an event, which says that all the M variables are different. 
The goal is to claim independence of the corresponding N variables, and hence 
the C variables. However, the situation is complicated by the fact that the con- 
dition that all the Mj variables for some i are different, may cause the variables 
C* , for i' < i, to be no more independent. However, a weaker statement can be 
proved by induction. To this end, consider the event E2(y), for y < m: 

yi,i' G [l..y],Vj,/,j G [1..V - l],f G [1..L*' - 1], (i,j) yf (^^/) : (M] M},) 

Event E2(m) will also be denoted by E2. 

We also predicate on the event that all the initial variables Cq are different. 
Let E3 be the event that 

Vi,j G 

For ^ = r^, ...,r™, all r* different, let E3(T^) be the event that for all i G 
Cl = r\ 

Let l{) be the length of the first ciphertext (determined by the adversary). We 
will use constant c* to denote strings of arbitrary block length. We will use c to 
denote the sequence c^, ..., c"*. The function | • | is used below to represent length 
of a message in blocks. Given a sequence of ciphertext messages C, ..., c*, i < m, 
let 1{C,...,C) be the length of the {i + l)th ciphertext (which is determined 
by the adversary, and therefore is a deterministic function of c^,...c*). Recall 
that each ciphertext includes the block Cl, which is just r* under Also, 

since C is a deterministic function of C, given c^, ..., c™ let the ciphertext in the 
second stage be c' with length I'. We have 

Prh(E0 V El) A E2 \ E5{-t) ] = E - E - 

c^: |ci|— /() c*: |c’'|— 

Prh(EOVEl) a/\C* = c* A E2 I E3(l^)] (1) 

c™: |c"»|=i(c”‘-i,...,ci) i 

In this sum, if for some i, Cq yf r*, then the inside expression is zero. Also, if 
event EO holds for c (which determines c'), then the inside expression above for 
that c is zero. So, from now on, we will assume that EO does not hold for C = c. 
Then, the inside expression above becomes: 

Prh(E0 V El) A /\ C* = c* A E2 I E3(7^)] 

i 

< m*n,,e[i..p_i] j ^ Pr[(iV' = iV/) A /\ C* = E A E2 | E3(l^)] 

+ Y Pr[{K = N')A/\C^ = EAE2\E3{l^)]\ 

ie[l. i/a; i ' 




Encryption Modes with Almost Free Message Integrity 539 



For each s, j, we have (N^ = Nj) iff (S'^. © S'®. ) = (C^ © C®) , where S^. , S®. 
are the masks that are used for these ciphertext blocks. That is, j* = j if 
j < |c®| — 1 and j* = 0 otherwise, and similarly x* = x if a; < — 1 and x* = 0 
otherwise (Similarly for j ^ x we have (fV' = Nj) iff (S(,. © S'.) = (C(, © C')). 

Since each of the summands in the expression above has a conjunct C = c 
for some constant string c (and since the forged ciphertext C is a function 
of C), it follows that each of the summands in the first sum can be written as 
Pr[(-5'(,.(co)©S®.(cg) = c'^©c®) AC = c^E2 \ E3{l^)]. Note that S(,. (c'p)©S®. (eg) 
can in some cases be identically zero. As c is some constant string, then c(, © c| 
is also constant, and recall that the variables S'(co) depend only on the choice 
of G. Thus, each of these summands (if S'j,. (eg) © S'®, (eg) is not identically zero) 
can be bounded by 

Pr[S;. (eg) © S®. (eg) = eg © e® A C = c A C2 | E3{1^)] 

= Pr[C = e A C2 I Sg. (c'q) © S®. (eg) = e'^ © c® A C3(T^)] 

* Pr[Sg. (e'o) © S®. (eg) = e', © c® | E3{1>)] 

< (2-")" * PrK.(c'o)©S®.(cg) = c',©e® I C3(T^)] 

where the last inequality follows by Claim 5 with fj, = m] ) c^) — 

1). A similar inequality holds for the summands in the second sum (i.e. = 

Nj case). Thus, by Claim 4, the inside expression in equation (1) is at most 
2“"^ * (m + e) * 2“”. Since we have 2”'' summands, it follows that 

Prh(A0 V El) A E2 \ A3(T^)] < (m + v) * 2"” 

Finally, we calculate Pr[-i(ifO V El)] 

Prh(A0V Cl)] 

< Pr[-^{E0 V El) A E2 \ E3] + Pr[^E2 \ E3] + Pr[^E3] 

< PrhC3] + 

((Prh(A0 V El) A E2 |C3(T^)] + Pr[--E2 |C3(T^)]) * Pr[C3(T^)|F;3]) 

< * 2-” + (u + x) * 2-" + (m)2 * 2-” 

where the last inequality follows by Claim 6. □ 

Claim 4: For each constant c (and its corresponding c') for which event EO does 
not hold, and constant with distinct values, there is an x G [1..^' — 1] such 
that 

(i) Vs G [l..m]Vj G [l..|c®| — 1]: 

if S'g. (eg) © S'®, (eg) is identically zero then eg, © c® yf 0, otherwise 



Pr[Sg.(cg) © S®.(cg) = c', © c® I A3(T^)] < 2"", 
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(ii) Vj G [l:\l' - l],j ^x,: 

PrK.(c'o) © S', (4) = 4 © 4 I E3{1^)] < 2-" 

Proof: These are the different cases (we will drop the argument from S'® and S' 
as it will be clear from context): 

(a) {New IV) If for all i G Cq ^ r*, then we choose x = 1. In that case 

N[ = N'j is same as © C' = S( © S'^,, where j* = j if j ^ {I' — I), and 
j* = 0 otherwise. Thus, for j G [1..^ — 1], J x, since S' is pairwise differentially 
uniform, probability of (S( © S'j, = c( © cf) is 2“” (even under if3(l^)). 

Similarly, N[ = N- is same as © C® = S( © S®. , where j* = j if j yf |c® | — 1, 
and j* = 0 otherwise. Under event E3{r), and the fact that Cq is different from 
all E, we have that S( © S®. is uniformly distributed. 

(b) There exists a, k, k £ [l..m] such that Cq = r^. For all other k' G [l..m], 
Cg yf r^. Thus S' = S^. We have several cases: 

(bl) {truncation attempt) If c' is a truncation of c^, then we let a; = ?' — 1 which 
is the index of the last block of c' . 

(b2) {extension attempt) If c' is an extension of c^, then we let x = |c*| — 1 which 
is the index of the last block of c^. 

(b3) Otherwise, let x be the least index in which c' and are different. 

In all the cases (bl), (b2) and (b3), conjunct (ii) is handled as in (a). 

In case (bl), IV' = Nf is same as C'i,_-y © ^g = C® © S'®., where j* = j if 
j yf |c®| — 1, and j* = 0 otherwise. Now, for s = k, j* = 0 (in which case Sg © S| 
is identically zero), we have © c® = This quantity is not zero, 

since EO (the deletion attempt) doesn’t hold for c. Otherwise, Sg©S|. = Sg ©S® 
is uniformly distributed. 

In case (b2), N' = iV® is same as "''’here j* = j 

if j yf |c®| — 1, and j* = 0 otherwise. When s = k, j* is never |c^| — 1, and hence 
uniformly distributed. 

In case (b3), IV' = Nf is same as Cj, © Sf., = O® © S®. , where j* = j if 
j ~ j* = 0 otherwise, and x* = x ii x ^ {V — 1), and x* = 0 

otherwise. If s = fc, and j* = x* , then either j* = x* = Q, or j = x. In the 
latter case, © c® = © c^, which is non-zero as x is the index in which c' 

and differ. In the former case, j = |c^| — 1, and x = {V — 1). In this case, 
4 ® 4 = cj,_^ © C|(,fc|_^. If this quantity is zero, then since x (= {I' — 1)) was the 
least index in which and c' differed, event EO would hold for c, leading to a 
contradiction. In other cases, Sf., © Sf, is uniformly distributed. □ 

Recall that U3(T^) is the event that all Cg are distinct (and set to T^). 

Claim 5: Let l\ be the length of the first ciphertext. Let y < m. For any 
constant lengths k {i G [2..y]) and constant strings E, {i G [l..y], \E\ = k), and 
any function G independent of E, 

Pr[ f\ C' = E A E2{y) \ G A E^-f)] < (2"")^ 
where pL = Ei(z[i„y]{V - 1). 
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Proof: The above probability is zero unless for all i G r = l{c^ , 

From now on, we will assume that the are indeed such. 

We do induction over y, with base case y = 0. 

The base case is vacuously true, as /i = 0 and conditional probability of TRUE 
is 1. 

Now assume that the lemma is true for y. We prove the lemma for j/ + 1. The 
explanation for the inequalities is given below the sequence of inequalities. 

Pr[ f\ C* = c* A E2{y + 1) | G A E3(T^)] 

ie[l..y+l] 

< Pr[G^+i = A C' = c" A E2{y + 1) A G A ES{-t)] 

ie[l..y] 

*Pr[ A = E A E2{y + 1) \ G A E3{-t)] 

ie[l..y] 

< * Pr[ A G^ = E A E2{y) | GAE3(T^)] 

iG[l..y] 

The second inequality follows because under the condition E2{y + 1), all the 
are different from the previous M, and hence the sequence of variables, 
for all j € — 1], E(Mj^~^^) can take all possible (2")!^“^^“^) values, 

independently of G, and and hence also all ciphertext messages till 

index t. Hence, the sequence Gj'*’^ = E{Mj^^) © can take all possible 
values. Moreover, = 1{E, 

The last inequality follows by induction. □ 

Claim 6: For every fixed 1^ with distinct values, 

Pr[--E2 I E3(T>)] < * 2"" 

Proof: Recall that Event E2 is 

yi,i' G [l..m],Vj, /, j G [l..T*],j' G [1..L* ], (i,j) ^ (i'j') : (M] M],) 

Under E"i{~E), we have 

(a) The set of variables {W^}, i G are uniformly random and independent 

variables. 

(b) For each i, the variable Wl is independent of all ciphertext messages G* , 
i' < i, and hence all plaintext messages P^ , i' < i. This follows because Wl can 
be chosen after G^ , i' < i have been chosen. 

Given if 3(7^), the probability that event E2 does not happen is at most 
(^iG[l. * 2 ”, which is at most vf *2 ". This is seen as follows: 

Pr[Aij = Af*;] = Pr[P] ® S] = P]', ® S^-,] = Pr[S” = S^-, ® P} ® P}',] 
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Without loss of generality, let i > i' . Then from (b) above it follows that this 
probability is at most 2“” (if i = i', then we also use the fact that the sequence 
S is pairwise differentially uniform). □ 



4.1 General Case 

We now prove the scheme lAPM (t > 1) secure for message integrity. Here F 
and G are independent random permutations. 

Theorem 4: Let A be an adversary attacking the message integrity of lAPM 
(t > 1) with random permutations F and G. Let A make at most m queries in 
the first stage, totaling at most fj, blocks. Let u = p, + m. Let v be the maximum 
number of blocks in the second stage. Then for adversary A, 

Succ < (2 * + 2tw?' + tm + t^{m + 1)^ + 3t(2m + 1 )(m + u) + 2 + o(l)) * 2“" 

Proof Sketch: We first calculate the adversary’s success probability assuming that 
G is a random function. Then, the error introduced in the probability because 
of this approximation is at most {{t{m + 1))^ * 2“”). 

The differences in the proof from that of Theorem 1 are (i) we can not assume 
a priori, that the sequence S'* is pairwise differentially uniform, (ii) E3("f^) as 
defined in Lemma 3 does not imply that S* is independent of SG for i yf j, (iii) in 
proof of Theorem 1, the case of event EO requires S* to be pairwise differentially 
uniform, and (iv) in claim 4 case (a), S'(cg) is not necessarily independent of all 
S*(r*). 

To this end. Event E3 is now defined to be the event that all entries in the 
following (multi-) set are different: 

{Gg,f G [l..m]} U {G{Go)+j - l,z G [l..m], j G [l..t - 1]} 

For = r^, ...,r"*, all r* different, let E3(T^) be the event E3 and that for all 
i G [l..m], Gq = r*. 

For T^=r^, ...,r™, all r* different, Pr[-i E3(T^)] < {2timf + tm) * 2“" 

Under event E3, for all i G the sequence S* is pairwise differentially 

uniform, and is independent of S^ (j G j =/= i). Now (in Theorem 1) the 

case of event EO is also handled under the condition E3{1^). 

In Claim 4, case (a) (i.e. New IV) now requires showing that >S'^(cq) (with Cq 
different from all r*) is independent of all 5'*(r*) (z G [l..m]). 

Consider the following events (note that IU( = G(r*)): 

Event E4: Vz G [l..m],Vj G [l..t — 1] : Cg yf -|- j — 1. 

Event E5: Vz G [l..m] : |G(cg) — IU(| > t A |G(cg) — r*| > t A |G(cg) — Cg| > t 
Now given that, for all k G Cg yf r^, and under event E4, it is the case 

that Cg has never been an oracle query to G, and thus Pr[-iE5 | E4 A E3('r^)] 
< 2t{2m -hi)* 2-". Also, Pr[^ E4 | E3(T^)] < mt * 2"”. 

Under events E4, E5 and E3(l^), and Cg different from all r*, S"(cg) is indeed 
independent of previous S'*(r*), and is also pairwise differentially uniform. □ 
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4.2 Modes Using GFp 

In another variant of lACBC and lAPM, a pair-wise differentially uniform se- 
quence in GFp is employed for “whitening” the output (and the input for parallel 
modes). However, now “whitening” refers to adding modulo 2", instead of per- 
forming an exclusive-or operation. Theorems 1 and 5 also hold for encryption 
schemes which employ sequences which are pair-wise differentially-uniform in 
GFp; the success probabilities, however are now in terms of 2/p instead of 1/2". 
The condition N[ = Nj would now translate to C[ — Si = Cj — Sj, which is the 
same as Si — Sj = C'i — Cj (here the subtraction is n-bit integer subtraction). 
It can be shown that if Si, Sj are independent of C , C, then the probability of 
this event is at most 2/p. 

5 Message Secrecy 

We state the theorem for security under the Find-then-Guess notion of security. 
The proof follows standard techniques (|3). 

Theorem 5: Let A be an adversary attaeking the eneryption seheme lAPM in 
Figure 2 (with f being a random permutation F ) in the find-then- guess sense, 
making at most q queries, totaling at most p, bloeks. Then, 

AdvA < {2p?) ■ ^ 



6 Security of lACBC 

Theorem 6: Let A be an adversary attacking the message integrity of lACBC 
with random permutations F and G. Let A make at most m queries in the first 
stage, totaling at most p blocks. Let u = p -\- m. Let v be the maximum number 
of blocks in the second stage. Then for adversary A, 

Succ < (2*{u-\- 1)^ -I- 2tm^ + t^(m-|- 1)^ -I- 3tmu -\- 2{u -\- v -I- 1) -I- 2 -|- o(l)) * 2“” 

Theorem 5 continues to hold for lAGBG. Proofs of theorem 5, 6 and lAGBG 
variant of theorem 5 will be given in the full version of the paper. 
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